psh-ack - AbuseIPDB User Profile

JavaScript is disabled. Some features of this site may not work properly. For a smoother experience, please enable JavaScript in your browser settings.

User psh-ack joined AbuseIPDB in May 2022 and has reported 57,159 IP addresses.

Standing (weight) is good.

ACTIVE USER WEBMASTER SUPPORTER

IP	Date	Comment	Categories
🇨🇳 175.6.109.238	2 minutes ago	Conducted 3 SSH sessions via libssh 0.9.6 with creds: 345gs5662d34/345gs5662d34, root/3245gs5662d34, ... show more Conducted 3 SSH sessions via libssh 0.9.6 with creds: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/tencent@2025. Auth successful. Executed persistence & anti-forensics cmds: (1) Removed ~/.ssh, recreated dir, injected RSA pubkey AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx... for backdoor access. (2) Attempted chattr -ia on .ssh, exec lockr -ia (likely Diamorphine rootkit/LKM to hide persistence & prevent attribute modification). Attack pattern indicates preparation for sustained unauthorized access, evasion of detection, & prevention of cred removal. "tencent@2025" suggests targeting Tencent cloud infrastructure or cred reuse from prior compromises. libssh version suggests automated scanning/botnet activity vs manual exploitation. show less	Brute-Force SSH
🇧🇷 138.99.79.29	2 minutes ago	Compromised SSH honeypot, credential-stuffing attack with creds root/ubuntu. Go-based SSH client exe ... show more Compromised SSH honeypot, credential-stuffing attack with creds root/ubuntu. Go-based SSH client executed malware. Attacker uploaded binary to .3420253705005418454/sshd, made executable, launched via nohup with hardcoded IPs: 120.195.118.110, 120.193.9.167, 202.134.23.229, 185.118.12.20, 39.175.51.58, 114.218.57.21, 95.38.167.245, 121.28.170.66, 45.55.91.50, 178.x.x.x. Process backgrounding indicates persistence. Attack chain: auth compromise > malware upload > exec with C2/target IPs. Binary execution indicates active compromise. SSH-2.0-Go fingerprint suggests automated Golang-based botnet framework. 4-minute window suggests scripted attack. Recommend global blocking and monitor for propagation to listed targets. show less	Hacking Brute-Force SSH
🇨🇳 14.29.240.154	2 minutes ago	established 3 SSH sessions using credentials ak/3245gs5662d34 and ak/ak@123 via libssh 0.11.1 client ... show more established 3 SSH sessions using credentials ak/3245gs5662d34 and ak/ak@123 via libssh 0.11.1 client. Primary attack chain involved SSH key injection for persistence. First command removed existing .ssh directory, recreated it, and injected public RSA key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx...) into authorized_keys for passwordless remote access. Second command attempted to modify file attributes using chattr -ia to prevent key removal, followed by invocation of "lockr" utility (likely typo or non-standard tool attempting similar file locking). Attack demonstrates SSH persistence technique targeting root or privileged account. No malware downloads observed. No lateral movement or port forwarding commands detected. Credentials suggest automated credential stuffing or dictionary attack pattern (generic username with weak password variants). show less	Brute-Force SSH
🇺🇸 165.227.209.27	2 minutes ago	Exploited 3 creds (345gs5662d34/345gs5662d34, k8s/3245gs5662d34, k8s/admin123) via libssh 0.9.6 in 2 ... show more Exploited 3 creds (345gs5662d34/345gs5662d34, k8s/3245gs5662d34, k8s/admin123) via libssh 0.9.6 in 2 sec. SSH key injection attack: removed .ssh dir, recreated it, injected RSA pubkey AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4UhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx for persistence. Secondary chain: changed to home dir, removed immutable flags via chattr -ia .ssh, applied lockr -ia (non-standard tool). Credential stuffing + immediate persistence establishment. Rapid multi-attempt execution, k8s targeting suggests automated scanning/botnet activity focused on Kubernetes environments or containerized systems. show less	Brute-Force SSH
🇺🇸 172.190.216.105	2 minutes ago	Deployed SSH key persistence. Initial connection attempts w/ 3 cred pairs (345gs5662d34/345gs5662d34 ... show more Deployed SSH key persistence. Initial connection attempts w/ 3 cred pairs (345gs5662d34/345gs5662d34, kjs/3245gs5662d34, kjs/kjs) using libssh 0.9.6. Successfully executed cmds across 2 sessions. First chain: navigated home dir, deleted .ssh folder (recursive force), recreated .ssh dir, echoed RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for persistent passwordless SSH access. Second cmd: chattr to remove immutable/append-only flags, then lockr to reapply flags on .ssh—hardening persistence against removal/detection. Attack pattern: unauthorized remote access w/ anti-forensics. libssh version suggests automated tool. Activity completed in 2-second window indicating scripted reconnaissance and persistence establishment. show less	Brute-Force SSH
🇨🇳 115.190.203.239	48 minutes ago	Brute-forced creds ubuntu/12345678a via libssh 0.9.6. System profiling: CPU enumeration, memory/disk ... show more Brute-forced creds ubuntu/12345678a via libssh 0.9.6. System profiling: CPU enumeration, memory/disk checks, crontab inspection. Persistence deployed: SSH key injection (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx), SSH config removal, chattr/lockr cmds (rootkit/file immutability hardening). Passwd reset attempted with secondary cred PGt4KwxC6Rfn. Attacker suppressed .ssh removal via chattr -ia. Eight enumeration cmds executed (env vars, network interfaces, processes). No malware dl/lateral movement detected. Persistence via SSH key + modified creds enables return access. Pattern consistent w/ automated botnet scanner: weak creds → privilege escalation → C2 callback prep. show less	Brute-Force SSH
🇧🇷 177.16.244.39	48 minutes ago	Brute force attack across 3 credential pairs using libssh 0.9.6. Successfully authenticated with at ... show more Brute force attack across 3 credential pairs using libssh 0.9.6. Successfully authenticated with at least one cred set. SSH key injection executed: removed .ssh dir, recreated it, implanted RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistent access. chattr -ia cmd issued on .ssh dir to prevent deletion. Lockr cmd attempted (malformed). Attack chain indicates persistence setup for unauthorized access maintenance and potential privilege escalation/lateral movement. Cred pattern (alphanumeric strings like "345gs5662d34") suggests dictionary/automated attack. Activity completed within 4 seconds across 3 sessions, typical of automated scanning. SSH key injection with immutability flags prioritized for persistence. show less	Brute-Force SSH
🇧🇩 45.120.115.150	48 minutes ago	conducted credential stuffing using libssh 0.9.6 across three login attempts, succeeding with swapna ... show more conducted credential stuffing using libssh 0.9.6 across three login attempts, succeeding with swapna/swapna123. Initial access resulted in SSH directory manipulation: removed ~/.ssh, recreated it, and injected RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistence via unauthorized SSH key addition. Second command attempted to lock down the .ssh directory using chattr -ia to prevent deletion and modifications, followed by an unrecognized command (lockr -ia .ssh) that may be a typo or custom utility. Attack chain demonstrates classic persistence pattern: credential compromise, authorized_keys manipulation, and filesystem attribute hardening to prevent remediation. Low sophistication but effective for maintaining persistent backdoor access. No malware downloads or lateral movement observed during session window, though SSH key injection enables future passwordless access. show less	Brute-Force SSH
🇨🇳 59.36.75.227	1 hour ago	Credential brute force via libssh_0.11.1 targeting creds: 345gs5662d34/345gs5662d34, root/12qwaszX, ... show more Credential brute force via libssh_0.11.1 targeting creds: 345gs5662d34/345gs5662d34, root/12qwaszX, root/3245gs5662d34. Attack chain: removed .ssh dir, recreated it, injected RSA pub key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for passwordless auth. Used chattr -ia on .ssh dir to set immutable/append-only flags preventing deletion. Invoked lockr cmd with identical flags for additional protection. Goal: persistent SSH access resilient against incident response deletion attempts. Automated exploitation focused on persistence mechanisms. show less	Brute-Force SSH
🇺🇸 107.197.183.81	1 hour ago	SSH brute-force using libssh 0.9.6. Three auth attempts: 345gs5662d34/345gs5662d34, zhangwei/3245gs5 ... show more SSH brute-force using libssh 0.9.6. Three auth attempts: 345gs5662d34/345gs5662d34, zhangwei/3245gs5662d34, zhangwei/zhangwei. Successful cmd exec. Attack chain: rm -rf .ssh, dir recreation, injected RSA pubkey AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx into .ssh for persistence. Secondary cmds: chattr -ia .ssh (remove immutable flags), lockr -ia .ssh (disable protections). Cred reuse pattern suggests dict attack. Duration 3sec indicates automated/scripted. libssh 0.9.6 suggests botnet/framework. Intent: persistent access via SSH keys + prevent admin reversal via immutability removal. show less	Brute-Force SSH
🇨🇳 14.103.118.212	1 hour ago	Exploited weak credentials (345gs5662d34/345gs5662d34, root/2wsxCDE#) via libssh 0.11.1. Injected RS ... show more Exploited weak credentials (345gs5662d34/345gs5662d34, root/2wsxCDE#) via libssh 0.11.1. Injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for SSH persistence. Removed .ssh dir, recreated, added attacker key. Attempted immutability flags (chattr -ia) to prevent removal. Three sessions in 2min window. No malware dl/lateral movement. Persistence solely via SSH key implant. Likely from credential harvesting/brute-force against exposed SSH. Threat: account compromise w/ persistent passwordless access. show less	Brute-Force SSH
🇻🇳 171.244.37.103	1 hour ago	Cred spray attempt: 345gs5662d34/345gs5662d34, tigergraph/3245gs5662d34, tigergraph/tigergraph. Clie ... show more Cred spray attempt: 345gs5662d34/345gs5662d34, tigergraph/3245gs5662d34, tigergraph/tigergraph. Client: libssh 0.9.6. Two cmd sequences executed post-auth. Payload 1: rm .ssh dir + RSA pubkey injection into authorized_keys (key: AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) establishes persistent SSH access. Payload 2: chattr -ia on .ssh dir, then 'lockr' cmd with -ia flags to enforce immutable/append-only + additional locking. Combined approach prevents legit SSH key removal/modification. Targets root + tigergraph app accts (graph database). Attack window: 6.77s across 3 sessions indicates automation. No malware dl, C2, lateral movement observed. Persistence-focused, not exfil. show less	Brute-Force SSH
🇨🇳 122.13.25.186	1 hour ago	Reconnaissance and credential compromise activity. Attacker used libssh client to enumerate system r ... show more Reconnaissance and credential compromise activity. Attacker used libssh client to enumerate system resources (CPU, memory, disk) via Linux inspection cmds. Password change executed: echo pipe to passwd utility, new cred w90mcS3i8SxG. SSH key injection: removed .ssh dir, created new one, injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx...). Cmds included chmod modifications (.ssh perms hardened), crontab enum, file attr manipulation (chattr, lockr) suggesting intent to prevent cleanup of injected SSH keys. Pattern indicates post-compromise persistence: passwordless SSH access, prevent authorized_keys removal. Three sessions within ~2 min window suggest automated scanning or scripted exploit. No malware dl or lateral movement observed. show less	Brute-Force SSH
🇺🇸 50.84.211.204	1 hour ago	Exploited weak creds via 3 SSH sessions using libssh 0.9.6. Attempted creds: 345gs5662d34/345gs5662d ... show more Exploited weak creds via 3 SSH sessions using libssh 0.9.6. Attempted creds: 345gs5662d34/345gs5662d34, free/1, free/3245gs5662d34. Attack injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for backdoor access. Used chattr/lockr to manipulate file attributes preventing SSH dir removal—defensive persistence. Removed/recreated SSH dir, injected pubkey. No malware dl observed. Rapid activity (2.3s total) suggests automated scanning framework. Generic wordlist targeting. Recommend blocking source IP, monitoring libssh 0.9.6 signatures, alerting on SSH dir modifications with pubkey injections. show less	Brute-Force SSH
🇷🇴 80.94.92.171	1 hour ago	Go-based SSH client attempted exploitation with three sessions over 8 minutes using weak credentials ... show more Go-based SSH client attempted exploitation with three sessions over 8 minutes using weak credentials: sol/123, sol/sol/1234, and ubuntu/ubuntu. All three credentials achieved successful authentication. Post-authentication reconnaissance executed: system enumeration via uname with full output flags (system, version, nodename, release, machine), GPU detection through lspci VGA filtering, and uptime query. No malware downloads, persistence mechanisms, lateral movement, or port forwarding observed. Attack pattern indicates automated reconnaissance scanning for system fingerprinting and resource profiling, likely probe activity for victim classification before staged payload delivery or exploitation. No command injection attempts or shell metacharacters detected in executed commands. Sessions terminated after reconnaissance phase without further activity. show less	Brute-Force SSH
🇺🇸 203.88.119.100	1 hour ago	SSH attack targeting cred compromise & persistence. Attacker tried 3 cred pairs via libssh 0.9.6. Co ... show more SSH attack targeting cred compromise & persistence. Attacker tried 3 cred pairs via libssh 0.9.6. Commands executed successfully. Payload: SSH key injection - removed .ssh dir, recreated it, injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx...) for persistent access. Secondary cmd attempted chattr -ia flags to lock SSH dir, preventing key removal. Malformed syntax ('lockr') suggests typo or non-standard tool. Pattern indicates SSH brute-force + persistence deployment typical of botnet ops & cred harvesters establishing C2 infrastructure for lateral movement & cmd execution. show less	Brute-Force SSH
🇧🇴 181.115.147.5	1 hour ago	Credential stuffing attack via libssh_0.9.6. Three auth attempts: 345gs5662d34/345gs5662d34, node/32 ... show more Credential stuffing attack via libssh_0.9.6. Three auth attempts: 345gs5662d34/345gs5662d34, node/3245gs5662d34, node/node123. Successful compromise. Commands executed: rm -rf .ssh, mkdir .ssh, injected RSA key AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx for unauthorized SSH access. Attempted immutability locks: chattr -ia .ssh, lockr -ia .ssh to prevent key removal. Attack pattern: automated cred scanning, SSH key injection for persistence, filesystem hardening against removal. libssh version suggests non-standard client (botnet/custom scanner). No file dl, no lateral movement detected. Focus: persistent SSH backdoor via key installation + attribute manipulation. show less	Brute-Force SSH
🇷🇴 80.94.92.182	1 hour ago	Golang SSH client, 4 sessions from single source. Weak creds attempted: sol/123, sol/321, solana/val ... show more Golang SSH client, 4 sessions from single source. Weak creds attempted: sol/123, sol/321, solana/validator, validator/validator. Post-auth recon only: uname, lspci, uptime for kernel/GPU/runtime details. No malware dl, no persistence, no lateral movement, no file transfers, no priv esc, no reverse shells. Activity suggests automated credential spray targeting Solana validator infra/dev envs. Resource assessment recon before potential secondary payload delivery. No interactive attacker control observed. show less	Brute-Force SSH
🇷🇴 80.94.92.182	2 hours ago	Go-based SSH client attempted three sessions over 14 minutes using weak ubuntu credentials (ubuntu/u ... show more Go-based SSH client attempted three sessions over 14 minutes using weak ubuntu credentials (ubuntu/ubuntu and ubuntu/ubuntu123). Session authentication succeeded at least once, enabling command execution. Attacker enumerated system information via uname command (kernel name, version, nodename, release, machine architecture) and checked system uptime. No malware payloads, persistence mechanisms, lateral movement, port forwarding, or data exfiltration observed. Activity indicates reconnaissance phase of potential botnet infection or manual exploitation chain, consistent with early-stage scanning operations that typically precede payload delivery. show less	Brute-Force SSH
🇧🇷 177.136.206.71	3 hours ago	used libssh 0.9.6 client to conduct SSH brute force with three credential pairs: 345gs5662d34/345gs5 ... show more used libssh 0.9.6 client to conduct SSH brute force with three credential pairs: 345gs5662d34/345gs5662d34, ll/3245gs5662d34, ll/ll across three sessions within 4 seconds. Two distinct command sequences were executed. First command removes existing SSH directory, recreates it, and injects a public RSA key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys, enabling passwordless key-based access for persistence. Second command attempts to modify file attributes using chattr and lockr tools to set immutable flags on .ssh directory, preventing accidental or intentional deletion and hardening persistence against remediation efforts. Attack demonstrates automated credential stuffing combined with SSH key injection for persistent backdoor access and attribute-level protection mechanisms to maintain foothold. show less	Brute-Force SSH
🇳🇱 45.148.10.183	3 hours ago	Go-based SSH client executing automated reconnaissance targeting GPU and system information. Four fa ... show more Go-based SSH client executing automated reconnaissance targeting GPU and system information. Four failed authentication attempts using common credential pairs (sol/1234567, solana variants with sequential numeric passwords). Upon compromise, attacker executed 7 distinct commands across 22 total invocations focused on hardware enumeration: system specifications via uname, GPU detection via lspci filtering for 3D controllers and VGA devices, NVIDIA GPU identification via nvidia-smi product name extraction with count validation, and system uptime retrieval. Attack pattern indicates fingerprinting for cryptocurrency mining infrastructure targeting systems with GPU acceleration (NVIDIA). No persistence mechanisms, lateral movement, or payload downloads observed. Session duration approximately 13 minutes with multiple reconnection attempts using incremental password variations. No malware artifacts identified. Activity consistent with automated scanning for systems suitable for GPU-based mining operations. show less	Brute-Force SSH
🇳🇱 45.148.10.183	4 hours ago	scanned system specifications and resource inventory using weak credentials (sol/sol, solana/solana) ... show more scanned system specifications and resource inventory using weak credentials (sol/sol, solana/solana) across 3 sessions in 10 minutes. Go-based SSH client conducted GPU reconnaissance—queried CPU cores via nproc, enumerated NVIDIA GPUs with lspci and nvidia-smi, extracted product names and counts. Also collected kernel version, hostname, and system uptime via uname and uptime commands. No malware downloads, persistence mechanisms, or lateral movement observed. Pattern consistent with cryptocurrency miner botnet reconnaissance targeting GPU-equipped systems for resource hijacking. Credentials suggest targeting Solana ecosystem infrastructure or systems with Solana-related naming conventions. No command execution beyond recon. show less	Brute-Force SSH
🇩🇪 130.12.180.51	4 hours ago	Executed multi-stage persistence chain via Go SSH client. Creds: admin/admin. (1) Dl'd/exec'd clean. ... show more Executed multi-stage persistence chain via Go SSH client. Creds: admin/admin. (1) Dl'd/exec'd clean.sh, deleted source. (2) Dl'd/exec'd setup.sh, deleted source. (3) Created ~/.ssh dir, used chattr -ia to remove immutable attrs from authorized_keys, injected RSA pubkey AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvn... for passwordless access. Execute-then-delete pattern indicates forensic awareness. chattr usage targets SELinux/attr-restricted systems. Go SSH client fingerprint suggests automated tooling/botnet. Attack sequence: initial access + persistence establishment. Pattern consistent with infrastructure compromise and credential abuse across services. Monitor for lateral movement and additional credential exploitation. show less	Brute-Force SSH
🇨🇳 14.103.79.11	4 hours ago	Credential spray attack using libssh 0.9.6 across 3 sessions. Attacker attempted credentials 345gs56 ... show more Credential spray attack using libssh 0.9.6 across 3 sessions. Attacker attempted credentials 345gs5662d34/345gs5662d34 and sugar/sugar123. Upon successful authentication, executed multi-stage attack: First command removed existing .ssh directory and created new one, then injected RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for persistence via passwordless SSH access. Second command used chattr and lockr utilities to make .ssh directory immutable (-ia flags), preventing removal or modification of injected keys. Attack chain establishes persistent backdoor access with anti-forensics hardening. Attack duration approximately 96 seconds across credential enumeration and exploitation phases. Infrastructure likely part of automated SSH scanning botnet targeting weak or default credentials for establishing persistent command and control access points. show less	Brute-Force SSH
🇲🇾 103.187.26.126	4 hours ago	conducted credential enumeration using libssh 0.9.6, attempting three user/password pairs: 345gs5662 ... show more conducted credential enumeration using libssh 0.9.6, attempting three user/password pairs: 345gs5662d34/345gs5662d34, fbapps/3245gs5662d34, and fbapps/fbapps123 across three sessions within 10 seconds. Executed SSH key injection attack: removed existing .ssh directory, recreated it, and injected a public RSA key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistent backdoor access. Second command attempted to lock down .ssh directory using chattr and lockr, hardening persistence against removal attempts. Attack pattern indicates automated credential cycling followed by SSH key establishment for long-term access, typical of botnet scanning and account takeover operations. Libssh 0.9.6 is outdated library commonly exploited by mass-scanning malware. show less	Brute-Force SSH