# A Useful List of Recent Malware Caught on VPS Server



## howardsl2 (Mar 24, 2014)

Hello all,

I have taken the time to compile a list that summarizes recent malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded these files after breaking into the honeypot, and tried to run them immediately. Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious or illegal stuff.

Included are the MD5SUMs of those files as well as possible filenames used by the attackers. I compiled this list in the hopes that it could benefit you as a server owner, or VPS provider. Possible uses include searching for infected files or processes on your server for removal. However, please note that this list is by no means complete or accurate. USE AT YOUR OWN RISK!

The list is hosted on GitHub Gist. I plan to update it periodically as needed.     
Link: https://gist.github.com/hwdsl2/9737420
 

Example steps to check files in a folder (correct me if any command is wrong):

1. Browse to my list above, copy and paste all lines without beginning hash and save to a file, e.g. "/root/malwarelist.txt"

2. Cut out and sort the md5sums of the list and save to new file:


cut -f 1 -d ' ' /root/malwarelist.txt | sort > /root/malwarelist-md5only.txt

3. Generate md5sums of a folder (e.g. /etc, or change to any folder) and sort it by using:


find /etc -type f -print0 | xargs -0 md5sum | cut -f 1 -d ' ' | sort > /root/md5sums-etc.txt
4. Use "comm" to find common lines between the above two generated files:


comm -12 /root/malwarelist-md5only.txt /root/md5sums-etc.txt
5. If you see any output from "comm", that means there is at least one match between the md5sums in my list and one or more files in your "/etc" folder. Then you can investigate further.


----------



## Damian (Mar 24, 2014)

That's actually really interesting... I was expecting there to be more stuff on there. 

I was thinking the other day while on an airplane about the feasibility of using inotify to md5sum against newly-written files, and then notify, or potentially take further action on, containers that have written files known to be malicious.


----------



## Francisco (Mar 24, 2014)

inotify doesn't monitor sub folders  You'd have to run an inotify for every folder on the server.

Francisco


----------



## qrwteyrutiyoup (Mar 24, 2014)

Francisco said:


> inotify doesn't monitor sub folders  You'd have to run an inotify for every folder on the server.
> 
> 
> Francisco


You might be able to achieve that with fanotity monitoring a mountpoint with the FAN_EVENT_ON_CHILD flag.

Man page: http://www.xypron.de/projects/fanotify-manpages/man2/fanotify_mark.2.html


----------



## howardsl2 (Aug 10, 2014)

Update: The malware list has been updated with new data through 08/09/2014.

Link to the list: https://gist.github.com/hwdsl2/9737420

Related blog article (with example usage of the list):
Check Your Server for Malware from SSH Attacks


----------



## devonblzx (Aug 11, 2014)

Francisco said:


> inotify doesn't monitor sub folders  You'd have to run an inotify for every folder on the server.
> 
> 
> Francisco


Sysctl fs.inotify.max_user_watches.  It may take some tweaking and depends on your system but you can write a script pretty easily to recurse through all the directories.  It depends on how many directories you have on your system but I have had inotify watches on all the directories on a server before with pretty good success.


----------

