howardsl2
New Member
Hello all,
I have taken the time to compile a list that summarizes recent malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded these files after breaking into the honeypot, and tried to run them immediately. Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious or illegal stuff.
Included are the MD5SUMs of those files as well as possible filenames used by the attackers. I compiled this list in the hopes that it could benefit you as a server owner, or VPS provider. Possible uses include searching for infected files or processes on your server for removal. However, please note that this list is by no means complete or accurate. USE AT YOUR OWN RISK!
The list is hosted on GitHub Gist. I plan to update it periodically as needed.
Link: https://gist.github.com/hwdsl2/9737420
Example steps to check files in a folder (correct me if any command is wrong):
1. Browse to my list above, copy and paste all lines without beginning hash and save to a file, e.g. "/root/malwarelist.txt"
2. Cut out and sort the md5sums of the list and save to new file:
cut -f 1 -d ' ' /root/malwarelist.txt | sort > /root/malwarelist-md5only.txt
3. Generate md5sums of a folder (e.g. /etc, or change to any folder) and sort it by using:
find /etc -type f -print0 | xargs -0 md5sum | cut -f 1 -d ' ' | sort > /root/md5sums-etc.txt
4. Use "comm" to find common lines between the above two generated files:
comm -12 /root/malwarelist-md5only.txt /root/md5sums-etc.txt
5. If you see any output from "comm", that means there is at least one match between the md5sums in my list and one or more files in your "/etc" folder. Then you can investigate further.
I have taken the time to compile a list that summarizes recent malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded these files after breaking into the honeypot, and tried to run them immediately. Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious or illegal stuff.
Included are the MD5SUMs of those files as well as possible filenames used by the attackers. I compiled this list in the hopes that it could benefit you as a server owner, or VPS provider. Possible uses include searching for infected files or processes on your server for removal. However, please note that this list is by no means complete or accurate. USE AT YOUR OWN RISK!
The list is hosted on GitHub Gist. I plan to update it periodically as needed.
Link: https://gist.github.com/hwdsl2/9737420
Example steps to check files in a folder (correct me if any command is wrong):
1. Browse to my list above, copy and paste all lines without beginning hash and save to a file, e.g. "/root/malwarelist.txt"
2. Cut out and sort the md5sums of the list and save to new file:
cut -f 1 -d ' ' /root/malwarelist.txt | sort > /root/malwarelist-md5only.txt
3. Generate md5sums of a folder (e.g. /etc, or change to any folder) and sort it by using:
find /etc -type f -print0 | xargs -0 md5sum | cut -f 1 -d ' ' | sort > /root/md5sums-etc.txt
4. Use "comm" to find common lines between the above two generated files:
comm -12 /root/malwarelist-md5only.txt /root/md5sums-etc.txt
5. If you see any output from "comm", that means there is at least one match between the md5sums in my list and one or more files in your "/etc" folder. Then you can investigate further.
Last edited by a moderator:
You'd have to run an inotify for every folder on the server.
