A Useful List of Recent Malware Caught on VPS Server
Hello all,
I have taken the time to compile a list that summarizes recent malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded these files after breaking in, and tried to run them immediately (usually with "nohup"). Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious or illegal stuff.
Included are the MD5SUMs of those files as well as possible filenames used by the attackers. I compiled this list in the hopes that it could benefit you as a server owner, or VPS provider. Possible uses include searching for infected files or processes on your server for removal. However, please note that this list is by no means complete or accurate. USE AT YOUR OWN RISK!
The list is hosted on GitHub Gist. I plan to update it periodically as needed.
Link: https://gist.github.com/hwdsl2/9737420
Example steps to check files in a folder (correct me if any command is wrong):
1: Browse to my list above, copy and paste all lines without beginning hash
and save to a file, e.g. /root/malwarelist.txt
2: Cut out and sort the md5sums of the list and save to new file:
cut -f 1 -d ' ' /root/malwarelist.txt | sort > /root/malwarelist-md5only.txt
3: Generate md5sums of a folder (e.g. /etc, or change to any folder) and sort it by using:
find /etc -type f -print0 | xargs -0 md5sum | cut -f 1 -d ' ' | sort > /root/md5sums-etc.txt
4: Use "comm" to find common lines between the above two generated files:
comm -12 /root/malwarelist-md5only.txt /root/md5sums-etc.txt
5: If you see any output from "comm", that means there is at least one match between the md5sums in my list and one or more files in your "/etc" folder. Then you can investigate further.
Comments
Love your PBX in a Flash tutorial! Great stuff on your blog
Do you mind if we integrate this list with the infection finder we're adding to Feathur in the next few weeks?
Sure, feel free to integrate it. However please note that this list is by no means complete and could contain errors. I may update it at a later time.
Interesting, you got time to ask questions here but no time to terminate one of your former employees with all his access???
http://lowendtalk.com/discussion/24010/what-do-you-do-when-an-ex-employer-won-t-remove-you-from-access#latest
That's a low blow, to be honest. Especially coming from you, as you were "the victim" when we all kept reminding you about your failure to own up to the fantastic prize you won about one-and-a-half year ago. So, it's actually surprising to have this come from you.
@hwdsl2: nice work man!
And what you've said after quickly closing that thread without getting the issues resolved and now is trying to accuse me with something completely irrelevant is not????
I am sorry but I just can't figure out my logic here
This is pretty nifty.
OP I'm sorry for going off topic for a moment here...
My former employee didn't have access to anything. He was getting emails from an uptime tracker we haven't used in a year and decided it'd be cool to make a random thread about us on the forums... Can we keep this thread on topic please?
Sure...no more reply from me on @BlueVM in this thread. OP my apologies.
Just updated the malware list with more data from June-Dec 2013, in addition to those from 2014 which were added earlier.
Update: The malware list has been updated with new data through 06/29/14. In addition, three new columns "First Seen", "Last Seen" and "#Times" have been added.
Related blog post: Check Your Server for Malware from SSH Attacks
Link to the list: https://gist.github.com/hwdsl2/9737420
@hwdsl2 - one that you should add to this is iptableX, this one has burnt a lot of customers recently with no-end of outgoing DOS/floods
Why don't you upload infected files also? It's much more helpful. And also it let people who'll use that list to verify, that they are really infected.
I searched through the logs and it seems that the files ".IptabLes" and ".IptabLex" could be downloaded by program "getsetup.hb" which can be found in the malware list (7 different versions for it so far). However because "getsetup.hb" never really executed in the honeypot, I don't get those files.
EDIT: I found the md5sums by Google search [1] [2] [3]. Added to the list.
Not sure if that is a good idea... I'd refrain from uploading the infected files for now.
Running kippo is fun, I used to use my host1free VPS for it but they suspended for some reason...
Good stuff, thanks for posting this.
Maybe they detected that it was being filled up with malware
Nice list! I found part of this software on our customer's VPS. Maybe you will be interested in my project https://github.com/pavel-odintsov/Antidoto for detecting system anomalies.
Update: The malware list has been updated with new data through 08/10/2014.
Link to the list: https://gist.github.com/hwdsl2/9737420
For example usage of this list, please refer to my blog article:
Check Your Server for Malware from SSH Attacks
Does this mean you are going to update the stable branch soon?
@drserver was this what you wanted?
We certainly hope so... lots of cool new things coming down the pipe, just have to make sure they're ready for prime time.
You may want to remove 'without beginning hash' from the first step.
Thanks for pointing that out. I know it's confusing but what I meant was "copy all lines EXCEPT those beginning with a '#' ". I have since updated the instructions in my blog post:
Check Your Server for Malware from SSH Attacks
Thanks for sharing the list! I also use maldet to scan for malware on my system, here's a useful guide just in case you would like to read more about it: http://bestinlinux.com/scan-linux-system-with-malware-detect-maldet-easy-installation-steps/
Recently caught some malware on my vps.
All downloaded from here http://222.186.34.210:5340/
Sent this link to MalwareMustDie. Nice tutorial, thanks!
Updated the malware list with new data through 11/01/2014. Also removed a few lines where the attacker's file download(s) did not finish.
Related blog post: Check Your Server for Malware from SSH Attacks
Link to the list: https://gist.github.com/hwdsl2/9737420
(The list is licensed GPLv3. It is by no means complete and could contain false positives. Use at your own risk!)