Some kippo results September 28, 2010
Posted by lvdeijk in Uncategorized.trackback
On the 23th of July I started with the SSH honeypot kippo. So after a good two months I decided to collect all the urls/locations those “1337 h4x0rs” are wgetting all their files from. (rootkits/ircbots/scanners)
I came up with the following list:
- http://arhive.xp3.biz/.x/ (multiple times)
- http://r.o.o.t.hi2.ro/
- pibo.com/.x/
- http://smithboy.webs.com/scan/
- http://smithboy.webs.com/emech/
- http://y2khom3.evonet.ro/
- http://eyesz.is-the-boss.com/
- iuliseverin.go.ro/ (multiple times)
- http://linuxhk.webs.com/xxplex/
- webmail.planetarium.com.br/~clayton/iadus/hide
- http://mdtorrent.hi2.ro/upload/
- blackdj.110mb.com/ (multiple times)
- austryaku.110mb.com/
- http://www.freewebs.com/iulianshooter/
- http://pinky.clan.su/flood/ (multiple times)
- freefun.do.am/ (multiple times)
- http://teste.meister.tripod.com/
- http://cake.do.am/ (multiple times)
- www.iadus.hi2.ro/
- http://clubhack.ucoz.org/ (multiple times)
- freewebtown.com/baietzas/Arhive/
- hurricane.home.ro
- http://LinuxSyS.Webs.Com/ (multiple times)
- http://www.packetstormsecurity.org/Crackers/ (legitimate site)
- keylogger123.home.ro/
- http://rohacker.ucoz.ru/ (multiple times)
- kok.ucoz.de/ (multiple times)
- http://freedphoto.com/~test/ (multiple times)
- http://vladutz.110mb.com/trades/
- chicktool.com/.x/others/
- www.freewebtown.com/hotzu/altele/
- freewebtown.com/codz/py/
- http://freewebtown.com/tarxvfz/
- http://freewebtown.com/evilish12/
- www.freewebtown.com/hotzu/xp/
- freewebtown.com/gigel/ (multiple times)
- http://aditzu.ucoz.net/
- http://blackenergy.110mb.com/Emech/
- http://iReaL-Clan.Webs.Com/Arhive/
- http://N-A-S-A.tk/Stifler/mech/
- http://eyesz.is-the-boss.com/
- bezbol.go.ro/ (multiple times)
- http://blackenergy.110mb.com/PsyBNC/
- http://blackenergy.110mb.com/Flood/
- http://blackenergy.110mb.com/Scanner/
- http://solid.go.ro/
- http://pokolake.is-the-boss.com/tgz/ (multiple times)
- cipsonel.com/lipi/ (multiple times)
- http://webfun.evonet.ro/tcl/
- web.clicknet.ro/mirel19/
- adelinuangell.lx.ro/cote/
- http://www.lourdesabarbosa.com/null/
- http://67.227.209.217/~admin/xd/
- http://thecooters.com/
- nasa.tradelinux.org/flood/
- http://mirc.go.ro/
- friguros.com/
- http://sipvicious.googlecode.com/files/ (legitimate site)
- http://tbdev.hi2.ro/
- http://geox.at.ua/
- http://csmioveni.tripod.com/Hack/
- http://208.75.230.43/drugsloco/
Now, I am not saying that these sites are “evil”. Chances are most likely that they are compromised themselves. So, just simply putting them on a blacklist isn’t a good idea.
Some of these links contain open directories, including all sorts of files, while other sites simply may have disappeared into thin air. It’s purely a list I extracted from the database my kippo is writing it’s results to.
As kippo also stores the obtained files, I have a copy of every single one of them for further analysis.
Use this information and/or containing files at you own risk.
Kippo also keeps track of every typed command in every “session”
One particular session I found too funny not sharing it:
Thanks to Justin Elze, for helping me out with the video.
[...] Some kippo results September 2010 5 [...]