Once in a while I take a look in the downloaded files from the ssh-honeypot.
Lately I saw a download of “linux-2.6.27.el6” which made we wonder.
If you are interested: There are more files available for download at http://222.186.15.13:8520/
..-probably all trojans and rootkits..
The known protocols of that kit include even gopher 🙂
gopher
http
https
file
news
mailto
socks
A short “string” on that file showed a lot of chinese ip-addresses, plus some replaced commands (netstat, ps, lsof) and a few additional options:
11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
10CAttackTns
9CAttackIe
7CSerial
short excerpt: (maybe these addresses are known elsewhere?
203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33….and so on..