Dissecting The Hack
An Information Security Community
Some kippo results
On the 23th of July I started with the SSH honeypot kippo. So after a good two months I decided to collect all the urls/locations
those “1337 h4x0rs” are wgetting all their files from.
(rootkits/ircbots/scanners)
I came up with the following list:
- http://arhive.xp3.biz/.x/ (multiple times)
- http://r.o.o.t.hi2.ro/
- pibo.com/.x/
- http://smithboy.webs.com/scan/
- http://smithboy.webs.com/emech/
- http://y2khom3.evonet.ro/
- http://eyesz.is-the-boss.com/
- iuliseverin.go.ro/ (multiple times)
- http://linuxhk.webs.com/xxplex/
- webmail.planetarium.com.br/~clayton/iadus/hide
- http://mdtorrent.hi2.ro/upload/
- blackdj.110mb.com/ (multiple times)
- austryaku.110mb.com/
- http://www.freewebs.com/iulianshooter/
- http://pinky.clan.su/flood/ (multiple times)
- freefun.do.am/ (multiple times)
- http://teste.meister.tripod.com/
- http://cake.do.am/ (multiple times)
- www.iadus.hi2.ro/
- http://clubhack.ucoz.org/ (multiple times)
- freewebtown.com/baietzas/Arhive/
- hurricane.home.ro
- http://LinuxSyS.Webs.Com/ (multiple times)
- http://www.packetstormsecurity.org/Crackers/ (legitimate site)
- keylogger123.home.ro/
- http://rohacker.ucoz.ru/ (multiple times)
- kok.ucoz.de/ (multiple times)
- http://freedphoto.com/~test/ (multiple times)
- http://vladutz.110mb.com/trades/
- chicktool.com/.x/others/
- www.freewebtown.com/hotzu/altele/
- freewebtown.com/codz/py/
- http://freewebtown.com/tarxvfz/
- http://freewebtown.com/evilish12/
- www.freewebtown.com/hotzu/xp/
- freewebtown.com/gigel/ (multiple times)
- http://aditzu.ucoz.net/
- http://blackenergy.110mb.com/Emech/
- http://iReaL-Clan.Webs.Com/Arhive/
- http://N-A-S-A.tk/Stifler/mech/
- http://eyesz.is-the-boss.com/
- bezbol.go.ro/ (multiple times)
- http://blackenergy.110mb.com/PsyBNC/
- http://blackenergy.110mb.com/Flood/
- http://blackenergy.110mb.com/Scanner/
- http://solid.go.ro/
- http://pokolake.is-the-boss.com/tgz/ (multiple times)
- cipsonel.com/lipi/ (multiple times)
- http://webfun.evonet.ro/tcl/
- web.clicknet.ro/mirel19/
- adelinuangell.lx.ro/cote/
- http://www.lourdesabarbosa.com/null/
- http://67.227.209.217/~admin/xd/
- http://thecooters.com/
- nasa.tradelinux.org/flood/
- http://mirc.go.ro/
- friguros.com/
- http://sipvicious.googlecode.com/files/ (legitimate site)
- http://tbdev.hi2.ro/
- http://geox.at.ua/
- http://csmioveni.tripod.com/Hack/
- http://208.75.230.43/drugsloco/
Now, I am not saying that these sites are “evil”. Chances are most likely that they are compromised themselves. So, just simply putting them on a blacklist isn't a good idea.
Some of these links contain open directories, including all sorts of files, while other sites simply may have disappeared into thin air.
It's purely a list I extracted from the database my kippo is writing
it's results to.
As kippo also stores the obtained files, I have a copy of every single one of them for further analysis.
Use this information and/or containing files at you own risk.
Kippo also keeps track of every typed command in every “session”
One particular session I found too funny not sharing it:
http://www.youtube.com/watch?v=FwZCWcfwzZ0
Thanks to Justin Elze, for helping me out with the video.
Views: 81
Comment
-
Comment by Ken Pryor on October 4, 2010 at 11:08am -
This was great fun to watch and good info too. Thanks Leon! I may have to give Kippo a try since I'm not having much luck attracting what I want with dionaea.
-
Comment by Jayson E. Street on September 28, 2010 at 7:55am
Latest Activity
d3tm4r commented on Siem van Boxtel's blog post Use of SE in past criminal activities related to Dutch Banks"This is an interesting research that you are doing there. I guess it is safe to assume that SE historically is the most common attack vector for criminals and it still is today. But I don't know if or how many scientific studies exist to…"
© 2012 Created by Marcus J. Carey.
Powered by
You need to be a member of Dissecting The Hack to add comments!
Join Dissecting The Hack