Meanwhile I captured 268 samples of disknyp.
Can be found on: http://198.2.192.204:22/disknyp
cool .. webserver on the ssh-port 🙂
The server answers with:
Content-Type: text/html
Content-Length: 4440
Accept-Ranges: bytes
Server: HFS 2.3 beta
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1
Looks like the webserver running is from:
http://ha-hfs.googlecode.com/files/hfs2.3 beta271.exe
Also available for download on this webserver is a
svch.exe , probably infected for window-machines.
Virustotal says, only 24 from 48 antivir-vendors discover this
trojan.
MD5 9d37ef3a5388b1d3d67a8759f178dd2d
SHA1 c09437f9d2752fc8ded68429ac33392c846370fc
SHA256 5c7d2aa53e55977b1bd677d6a3415c7e9900769fc49e9e3bed1fd42d73f0381b
Tags: Honeypots