2016-07-23. SSH attacked from 193.169.52.222,Russian Federation

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:33:30”,        “source of the attack”: {            “ip”: “193.169.52.222”,            “domain”: “AS49404-None”,            “geoloc”: “Russian Federation”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh-0.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “admin”,                “password”: “1234567890”            }        ],        “shell_commands”: [],        “downloads”: []    },    “static analysis with peframe”: []}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 03:04:07”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mips.mod”,            “chmod 777 /tmp/.xs/daemon.mips.mod”,            “/tmp/.xs/daemon.mips.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “a5a13c53defc2e2e13c4c3aa6087938c08057890”,                “sha256”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,                “md5”: “5afdcceb2fc5fc1c15d7fdbef674c6a5”            },            “file_found”: {},            “file_type”: “ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1215093,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:03:55”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mipsel.mod”,            “chmod 777 /tmp/.xs/daemon.mipsel.mod”,            “/tmp/.xs/daemon.mipsel.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “be4b4f732e26d32a8d02504a252a1ab4832f2cce”,                “sha256”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”,                “md5”: “856f14251f643bac62b9193c54449472”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1203885,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:03:53”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mips.mod”,            “chmod 777 /tmp/.xs/daemon.mips.mod”,            “/tmp/.xs/daemon.mips.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “a5a13c53defc2e2e13c4c3aa6087938c08057890”,                “sha256”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,                “md5”: “5afdcceb2fc5fc1c15d7fdbef674c6a5”            },            “file_found”: {},            “file_type”: “ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1215093,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:03:53”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mips.mod”,            “chmod 777 /tmp/.xs/daemon.mips.mod”,            “/tmp/.xs/daemon.mips.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “a5a13c53defc2e2e13c4c3aa6087938c08057890”,                “sha256”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,                “md5”: “5afdcceb2fc5fc1c15d7fdbef674c6a5”            },            “file_found”: {},            “file_type”: “ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1215093,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 03:04:05”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.i686.mod”,            “chmod 777 /tmp/.xs/daemon.i686.mod”,            “/tmp/.xs/daemon.i686.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “7feb14146ac938e5989cc0c9eda001540ef5d760”,                “sha256”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,                “md5”: “320adee47e53823a1be8a335e4beb246”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped”,            “file_name”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1035157,            “peframe_ver”: “5.0.1”,            “fuzzing”: {                “Possible connections”: [                    “:curl”                ]            },            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:22:25”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/test.mod”,            “chmod 777 /tmp/.xs/test.mod”,            “/tmp/.xs/test.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “7feb14146ac938e5989cc0c9eda001540ef5d760”,                “sha256”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,                “md5”: “320adee47e53823a1be8a335e4beb246”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped”,            “file_name”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1035157,            “peframe_ver”: “5.0.1”,            “fuzzing”: {                “Possible connections”: [                    “:curl”                ]            },            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 03:04:05”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.i686.mod”,            “chmod 777 /tmp/.xs/daemon.i686.mod”,            “/tmp/.xs/daemon.i686.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “7feb14146ac938e5989cc0c9eda001540ef5d760”,                “sha256”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,                “md5”: “320adee47e53823a1be8a335e4beb246”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped”,            “file_name”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1035157,            “peframe_ver”: “5.0.1”,            “fuzzing”: {                “Possible connections”: [                    “:curl”                ]            },            “virustotal”: {}        }    ]}

2016-07-23. SSH attacked from 116.31.116.51,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:53:45”,        “source of the attack”: {            “ip”: “116.31.116.51”,            “domain”: “AS58543-CHINANET Guangdong province networkChina TelecomNo.31”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-PUTTY”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “root”,                “password”: “!@”            }        ],        “shell_commands”: [],        “downloads”: []    },    “static analysis with peframe”: []}

2016-07-23. SSH attacked from 116.31.116.51,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:53:45”,        “source of the attack”: {            “ip”: “116.31.116.51”,            “domain”: “AS58543-CHINANET Guangdong province networkChina TelecomNo.31”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-PUTTY”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “root”,                “password”: “!@”            }        ],        “shell_commands”: [],        “downloads”: []    },    “static analysis with peframe”: []}