Once in a while I take a look in the downloaded files from the ssh-honeypot.
Lately I saw a download of “linux-2.6.27.el6” which made we wonder.
If you are interested: There are more files available for download at http://222.186.15.13:8520/
..-probably all trojans and rootkits..
The known protocols of that kit include even gopher 🙂
gopher
http
https
file
news
mailto
socks
A short “string” on that file showed a lot of chinese ip-addresses, plus some replaced commands (netstat, ps, lsof) and a few additional options:
11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
7CSerial
short excerpt: (maybe these addresses are known elsewhere?
203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33….and so on..
Tags: chinese, honeypot, ip-addresses, rootkit