amuck-landowner

A Useful List of Recent Malware Caught on VPS Server

howardsl2

New Member
Hello all,

I have taken the time to compile a list that summarizes recent malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded these files after breaking into the honeypot, and tried to run them immediately. Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious or illegal stuff.

Included are the MD5SUMs of those files as well as possible filenames used by the attackers. I compiled this list in the hopes that it could benefit you as a server owner, or VPS provider. Possible uses include searching for infected files or processes on your server for removal. However, please note that this list is by no means complete or accurate. USE AT YOUR OWN RISK!

The list is hosted on GitHub Gist. I plan to update it periodically as needed.     
Link: https://gist.github.com/hwdsl2/9737420
 

Example steps to check files in a folder (correct me if any command is wrong):

1. Browse to my list above, copy and paste all lines without beginning hash and save to a file, e.g. "/root/malwarelist.txt"

2. Cut out and sort the md5sums of the list and save to new file:


cut -f 1 -d ' ' /root/malwarelist.txt | sort > /root/malwarelist-md5only.txt

3. Generate md5sums of a folder (e.g. /etc, or change to any folder) and sort it by using:


find /etc -type f -print0 | xargs -0 md5sum | cut -f 1 -d ' ' | sort > /root/md5sums-etc.txt
4. Use "comm" to find common lines between the above two generated files:


comm -12 /root/malwarelist-md5only.txt /root/md5sums-etc.txt
5. If you see any output from "comm", that means there is at least one match between the md5sums in my list and one or more files in your "/etc" folder. Then you can investigate further.
 
Last edited by a moderator:

Damian

New Member
Verified Provider
That's actually really interesting... I was expecting there to be more stuff on there. 

I was thinking the other day while on an airplane about the feasibility of using inotify to md5sum against newly-written files, and then notify, or potentially take further action on, containers that have written files known to be malicious. 
 

Francisco

Company Lube
Verified Provider
inotify doesn't monitor sub folders :( You'd have to run an inotify for every folder on the server.

Francisco
 

devonblzx

New Member
Verified Provider
inotify doesn't monitor sub folders :( You'd have to run an inotify for every folder on the server.


Francisco
Sysctl fs.inotify.max_user_watches.  It may take some tweaking and depends on your system but you can write a script pretty easily to recurse through all the directories.  It depends on how many directories you have on your system but I have had inotify watches on all the directories on a server before with pretty good success.
 
Top
amuck-landowner