Some kippo results

On the 23th of July I started with the SSH honeypot kippo. So after a good two months I decided to collect all the urls/locations those “1337 h4x0rs” are wgetting all their files from. (rootkits/ircbots/scanners)
I came up with the following list:

• http://arhive.xp3.biz/.x/ (multiple times)
• http://r.o.o.t.hi2.ro/
• pibo.com/.x/
• http://smithboy.webs.com/scan/
• http://smithboy.webs.com/emech/
• http://y2khom3.evonet.ro/
• http://eyesz.is-the-boss.com/
• iuliseverin.go.ro/ (multiple times)
• http://linuxhk.webs.com/xxplex/
• webmail.planetarium.com.br/~clayton/iadus/hide
• http://mdtorrent.hi2.ro/upload/
• blackdj.110mb.com/ (multiple times)
• austryaku.110mb.com/
• http://www.freewebs.com/iulianshooter/
• http://pinky.clan.su/flood/ (multiple times)
• freefun.do.am/ (multiple times)
• http://teste.meister.tripod.com/
• http://cake.do.am/ (multiple times)
• http://www.iadus.hi2.ro/
• http://clubhack.ucoz.org/ (multiple times)
• freewebtown.com/baietzas/Arhive/
• hurricane.home.ro
• http://LinuxSyS.Webs.Com/ (multiple times)
• http://www.packetstormsecurity.org/Crackers/ (legitimate site)
• keylogger123.home.ro/
• http://rohacker.ucoz.ru/ (multiple times)
• kok.ucoz.de/ (multiple times)
• http://freedphoto.com/~test/ (multiple times)
• http://vladutz.110mb.com/trades/
• chicktool.com/.x/others/
• http://www.freewebtown.com/hotzu/altele/
• freewebtown.com/codz/py/
• http://freewebtown.com/tarxvfz/
• http://freewebtown.com/evilish12/
• http://www.freewebtown.com/hotzu/xp/
• freewebtown.com/gigel/ (multiple times)
• http://aditzu.ucoz.net/
• http://blackenergy.110mb.com/Emech/
• http://iReaL-Clan.Webs.Com/Arhive/
• http://N-A-S-A.tk/Stifler/mech/
• http://eyesz.is-the-boss.com/
• bezbol.go.ro/ (multiple times)
• http://blackenergy.110mb.com/PsyBNC/
• http://blackenergy.110mb.com/Flood/
• http://blackenergy.110mb.com/Scanner/
• http://solid.go.ro/
• http://pokolake.is-the-boss.com/tgz/ (multiple times)
• cipsonel.com/lipi/ (multiple times)
• http://webfun.evonet.ro/tcl/
• web.clicknet.ro/mirel19/
• adelinuangell.lx.ro/cote/
• http://www.lourdesabarbosa.com/null/
• http://67.227.209.217/~admin/xd/
• http://thecooters.com/
• nasa.tradelinux.org/flood/
• http://mirc.go.ro/
• friguros.com/
• http://sipvicious.googlecode.com/files/ (legitimate site)
• http://tbdev.hi2.ro/
• http://geox.at.ua/
• http://csmioveni.tripod.com/Hack/
• http://208.75.230.43/drugsloco/

Now, I am not saying that these sites are “evil”. Chances are most likely that they are compromised themselves. So, just simply putting them on a blacklist isn’t a good idea.

Some of these links contain open directories, including all sorts of files, while other sites simply may have disappeared into thin air. It’s purely a list I extracted from the database my kippo is writing it’s results to.
As kippo also stores the obtained files, I have a copy of every single one of them for further analysis.
Use this information and/or containing files at you own risk.

Kippo also keeps track of every typed command in every “session”

One particular session I found too funny not sharing it:

Thanks to Justin Elze, for helping me out with the video.

About these ads