Posts Tagged ‘rootkit’

chinese linux-rootkit

Friday, July 18th, 2014

Once in a while I take a look in the downloaded files from the ssh-honeypot.

Lately I saw a download of “linux-2.6.27.el6” which made we wonder.

If you are interested: There are more files available for  download at http://222.186.15.13:8520/

..-probably all trojans and rootkits..

The known protocols of that kit include even gopher 🙂

gopher
http
https
file
news
mailto
socks

A short “string” on that file showed a lot of chinese ip-addresses, plus some replaced commands (netstat, ps, lsof) and a few additional options:

11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
7CSerial

short excerpt: (maybe these addresses are known elsewhere?

203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33….and so on..