2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:22:04”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.armv4l.mod”,            “chmod 777 /tmp/.xs/daemon.armv4l.mod”,            “/tmp/.xs/daemon.armv4l.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “fc9651f35a50aa5139bd4877b900b922463117c6”,                “sha256”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”,                “md5”: “3ed81eec6c0d6603b4263c89c2561187”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, ARM, version 1, statically linked, stripped”,            “file_name”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1069817,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:22:05”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.armv4l.mod”,            “chmod 777 /tmp/.xs/daemon.armv4l.mod”,            “/tmp/.xs/daemon.armv4l.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “fc9651f35a50aa5139bd4877b900b922463117c6”,                “sha256”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”,                “md5”: “3ed81eec6c0d6603b4263c89c2561187”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, ARM, version 1, statically linked, stripped”,            “file_name”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1069817,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:43:21”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/test.mod”,            “chmod 777 /tmp/.xs/test.mod”,            “/tmp/.xs/test.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “7feb14146ac938e5989cc0c9eda001540ef5d760”,                “sha256”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,                “md5”: “320adee47e53823a1be8a335e4beb246”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped”,            “file_name”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1035157,            “peframe_ver”: “5.0.1”,            “fuzzing”: {                “Possible connections”: [                    “:curl”                ]            },            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 103.238.68.242,Vietnam

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:45:17”,        “source of the attack”: {            “ip”: “103.238.68.242”,            “domain”: “AS24088-Hanoi Telecom Corporation2 Chua Boc”,            “geoloc”: “Vietnam”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-Granados-1.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [],        “downloads”: []    },    “static analysis with peframe”: []}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:43:21”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/test.mod”,            “chmod 777 /tmp/.xs/test.mod”,            “/tmp/.xs/test.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “7feb14146ac938e5989cc0c9eda001540ef5d760”,                “sha256”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,                “md5”: “320adee47e53823a1be8a335e4beb246”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped”,            “file_name”: “0ffa9e646e881568c1f65055917547b04d89a8a2150af45faa66beb2733e7427”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1035157,            “peframe_ver”: “5.0.1”,            “fuzzing”: {                “Possible connections”: [                    “:curl”                ]            },            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:22:04”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.armv4l.mod”,            “chmod 777 /tmp/.xs/daemon.armv4l.mod”,            “/tmp/.xs/daemon.armv4l.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “fc9651f35a50aa5139bd4877b900b922463117c6”,                “sha256”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”,                “md5”: “3ed81eec6c0d6603b4263c89c2561187”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, ARM, version 1, statically linked, stripped”,            “file_name”: “9c2848962733846bf50b490fd8f6c7ce9ecade2d3f2f530f5ecbba283af87d3a”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1069817,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:43:19”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mipsel.mod”,            “chmod 777 /tmp/.xs/daemon.mipsel.mod”,            “/tmp/.xs/daemon.mipsel.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “be4b4f732e26d32a8d02504a252a1ab4832f2cce”,                “sha256”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”,                “md5”: “856f14251f643bac62b9193c54449472”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1203885,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 121.18.238.32,China

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:18:52”,        “source of the attack”: {            “ip”: “121.18.238.32”,            “domain”: “AS4837-China Unicom Hebei province networkChina Unicom”,            “geoloc”: “China”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-PUTTY”        ],        “login_info”: [],        “shell_commands”: [],        “downloads”: []    },    “static analysis with peframe”: []}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:43:18”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mips.mod”,            “chmod 777 /tmp/.xs/daemon.mips.mod”,            “/tmp/.xs/daemon.mips.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “a5a13c53defc2e2e13c4c3aa6087938c08057890”,                “sha256”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,                “md5”: “5afdcceb2fc5fc1c15d7fdbef674c6a5”            },            “file_found”: {},            “file_type”: “ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “86fbdd7df9486a17e9c408c7e50635e26402fdf297c9e97f1a5256100401dcc5”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1215093,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}

2016-07-25. SSH attacked from 13.95.146.117,United States

{    “project”: “OpenBlackList (https://twitter.com/openblacklist)”,    “author”: “ElCatapan (https://twitter.com/ElCatapan)”,    “attack details”: {        “timestamp”: “2016-07-14 01:43:19”,        “source of the attack”: {            “ip”: “13.95.146.117”,            “domain”: “AS8075-Microsoft Corporation”,            “geoloc”: “United States”        },        “honeypot sensor target”: “sensor8”,        “service attacked”: “SSH”,        “client_fingerprint”: [            “SSH-2.0-libssh2_1.6.0”        ],        “login_info”: [            {                “authentication”: “success”,                “username”: “ubnt”,                “password”: “ubnt”            }        ],        “shell_commands”: [            “mkdir /tmp/.xs/”,            “cat > /tmp/.xs/daemon.mipsel.mod”,            “chmod 777 /tmp/.xs/daemon.mipsel.mod”,            “/tmp/.xs/daemon.mipsel.mod”        ],        “downloads”: [            {                “url”: “stdin”,                “shasum”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”            }        ]    },    “static analysis with peframe”: [        {            “pe_info”: false,            “hash”: {                “sha1”: “be4b4f732e26d32a8d02504a252a1ab4832f2cce”,                “sha256”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”,                “md5”: “856f14251f643bac62b9193c54449472”            },            “file_found”: {},            “file_type”: “ELF 32-bit LSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped”,            “file_name”: “5c8c41253aa68adeb955e7d1c7b8e084e06537f75eff12c3f3a0f3cb30cb2152”,            “ip_found”: [],            “url_found”: [                “http://upx.sf.net”            ],            “file_size”: 1203885,            “peframe_ver”: “5.0.1”,            “fuzzing”: {},            “virustotal”: {}        }    ]}