used credentials ubuntu/qwer1234 to gain SSH access via Go-based SSH client. Single command executed ...
show moreused credentials ubuntu/qwer1234 to gain SSH access via Go-based SSH client. Single command executed: /bin/./uname -s -v -n -r -m, a standard system reconnaissance probe to enumerate OS type, version, hostname, kernel release, and machine architecture. No malware deployment, persistence mechanisms, lateral movement attempts, or file downloads observed. Attack duration approximately 5 seconds. This represents initial reconnaissance activity typical of automated scanning or botnet enumeration phases. The obfuscated command path (/bin/./ prefix) suggests potential evasion attempt, though functionality remains unchanged. No follow-up exploitation or post-compromise activity detected within session timeframe.
show less
Three SSH sessions from Go-based client. Credentials attempted: banxgg/banxgg, solv/banx, solv/valid ...
show moreThree SSH sessions from Go-based client. Credentials attempted: banxgg/banxgg, solv/banx, solv/validator. Reconnaissance focus: executed uname to enumerate OS details (kernel version, hostname, architecture), lspci piped to grep VGA to identify GPU hardware, and uptime -p for system runtime metrics. Pattern indicates automated enumeration of system specifications typical of botnet reconnaissance or resource assessment for crypto-mining deployment. No persistence mechanisms, lateral movement, or malware deployment observed. No downloads initiated. Activity consistent with initial profiling phase preceding potential payload delivery or system hijacking.
show less
Credential brute-force attack using libssh library. Three credential pairs attempted: 345gs5662d34/3 ...
show moreCredential brute-force attack using libssh library. Three credential pairs attempted: 345gs5662d34/345gs5662d34, cssserver/123, cssserver/3245gs5662d34. Attack executed SSH key injection and file attribute manipulation. First command removed existing .ssh directory, recreated it, and injected RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistence and remote access. Second command attempted to modify inode attributes on .ssh directory using chattr and lockr commands to prevent deletion or modification. Attack chain indicates preparation for sustained remote access with anti-forensics measures. Session duration 2.3 seconds across three separate login attempts suggests automated scanning/exploitation tool. libssh_0.11.1 client suggests non-interactive exploitation framework rather than manual attacker interaction.
show less
performed system reconnaissance targeting GPU capabilities across 6 sessions using credential sprayi ...
show moreperformed system reconnaissance targeting GPU capabilities across 6 sessions using credential spraying against "sol"-based accounts (sol/sol, solana/solana, solv/1234, solv/123456, solv/12345678, solv/solv). SSH client identified as SSH-2.0-Go. Commands executed: uname (system info), lspci queries filtering for 3D controllers and VGA devices with counts and detailed output, nproc (CPU core enumeration), nvidia-smi queries targeting GPU product names and counts, uptime. Attack pattern indicates botnet reconnaissance for mining-capable infrastructure or GPU resource availability assessment. No persistence mechanisms, lateral movement, or malware deployment observed in this session window. Activity consistent with initial vulnerability scanning or mining botnet node qualification phase.
show less
Four login attempts using credential variations for user 'solv' (passwords: 123456, 12345678, solv, ...
show moreFour login attempts using credential variations for user 'solv' (passwords: 123456, 12345678, solv, solv123). SSH client identified as SSH-2.0-Go, indicating programmatic scanning/exploitation activity. Two distinct commands executed post-authentication: uname system enumeration (kernel, version, hostname, architecture) and uptime reconnaissance. No malware payloads, persistence mechanisms, or lateral movement observed. Activity pattern consistent with automated credential spraying followed by basic system profiling on successful authentication. No downloads or file modifications detected.
show less
Credential brute-force (root/12345) via SSH. Attacker established 6 sessions over 4.8 hrs, deployed ...
show moreCredential brute-force (root/12345) via SSH. Attacker established 6 sessions over 4.8 hrs, deployed hidden executable to /tmp/.dockerd (1.5 MB). File created via cat redirection, chmod 777 applied for world-readable exec—privilege escalation/persistence technique. SHA256:ea72f32257d5f84060255d86438047d51645245dd701f53dde4a2e7bcb2593a1. Staging in /tmp exploits default world-writable perms. Attack pattern: automated scanning + credential stuffing + payload delivery. No lateral movement, port forwarding, or secondary malware detected. Persistence depends on /tmp binary remaining executable across reboots unless cleaned. Unknown SSH client fingerprint suggests modified OpenSSH or custom tool. Recommend: block source IP, scan internal systems for .dockerd artifacts, audit root access logs for successful auth, analyze binary for malware classification and C2 patterns.
show less
Brute-force SSH attack using libssh library with two credential pairs (root/3245gs5662d34, root/aabb ...
show moreBrute-force SSH attack using libssh library with two credential pairs (root/3245gs5662d34, root/aabbcc). Attacker established 3 sessions over 19 seconds. Primary objective was SSH key persistence: removed existing .ssh directory and recreated it, then injected a public RSA key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for future rootkit access without password authentication. Secondary commands attempted to modify file attributes using chattr (remove immutable flag from .ssh) and a lockr command (likely typo or non-standard tool attempting similar attribute manipulation). Attack demonstrates automated compromise methodology targeting privilege escalation and persistence via SSH key injection, preventing detection through standard credential monitoring. Indicators suggest bot-driven activity with pre-configured payloads for rapid lateral movement across vulnerable systems.
show less
Deployed SSH key persistence via RSA public key injection (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4K ...
show moreDeployed SSH key persistence via RSA public key injection (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx). Brute-forced creds using libssh 0.9.6: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/abc123456@. Post-exploitation: removed .ssh dir, injected key, modified perms with chattr -ia to lock immutability on .ssh, preventing removal by admin actions. Six sessions in 20-sec window after successful compromise. No file dl, lateral movement, or recon observed—attack focused solely on durable unauthorized access establishment via SSH key injection with attribute locking.
show less
tempted credential enumeration using three distinct username/password pairs (345gs5662d34/345gs5662d ...
show moretempted credential enumeration using three distinct username/password pairs (345gs5662d34/345gs5662d34, root/1234@rewq, root/3245gs5662d34) via libssh 0.9.6. Two commands executed successfully across separate sessions. First command chain removes existing .ssh directory, recreates it, and installs a persistent SSH public key (RSA AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for future unauthorized access. Second command applies immutability attributes to .ssh directory (chattr -ia) followed by attempted invocation of 'lockr' utility, likely to prevent SSH directory modification or removal. Activity demonstrates credential stuffing, SSH key persistence installation, and filesystem hardening to maintain access and resist remediation. libssh version 0.9.6 indicates automated scanning or tool-based exploitation rather than manual interactive access.
show less
tempted three separate SSH sessions using static credential root/root via Go-based SSH client. First ...
show moretempted three separate SSH sessions using static credential root/root via Go-based SSH client. First session executed current directory listing (./) followed by busybox TEST command—likely probing for command execution capabilities and busybox availability. Second session ran cat /proc, attempting to read process information for reconnaissance. Third session executed echo SHELL_TEST for shell environment validation. No payloads downloaded, no persistence mechanisms deployed, no lateral movement observed. Activity pattern suggests automated scanning/testing rather than targeted compromise attempt. No malware families or known exploit tools identified. Credential stuffing attack with minimal post-compromise activity.
show less
Brute force SSH creds: root/3245gs5662d34, root/zaq1@WSXcde3. Client: libssh 0.9.6. Attacker authent ...
show moreBrute force SSH creds: root/3245gs5662d34, root/zaq1@WSXcde3. Client: libssh 0.9.6. Attacker authenticated, injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for passwordless access. Removed/recreated .ssh dir, executed chattr -ia to prevent deletion/modification. 'lockr' cmd suggests custom locking utility. Persistence hardened against forensic removal. No malware dl or lateral movement observed. Three sessions in 28-second window indicates automated reconnaissance/multi-threaded activity. Sustained access risk high for future operations.
show less
Credential enumeration attack using weak/default credentials (345gs5662d34/345gs5662d34, reza/reza@1 ...
show moreCredential enumeration attack using weak/default credentials (345gs5662d34/345gs5662d34, reza/reza@123). Attacker utilized libssh 0.11.1 client across 3 sessions. Primary objective: SSH key persistence. Attack chain involved removing existing .ssh directory, recreating it, and injecting RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for credential-free access. Secondary command attempted to manipulate file attributes using chattr and lockr utilities to prevent key removal. This indicates preparation for persistent backdoor access and resistance to remediation. Attack occurred over approximately 2 minutes with multiple connection attempts suggesting either manual reconnaissance or automated credential spraying. Standard SSH brute-force signature with persistence focus typical of botnet activity or credential stuffing campaigns.
show less
Attempted credential abuse across 3 sessions using libssh 0.9.6. Creds tested: 345gs5662d34/345gs566 ...
show moreAttempted credential abuse across 3 sessions using libssh 0.9.6. Creds tested: 345gs5662d34/345gs5662d34, xyh/3245gs5662d34, xyh/xyh. Commands executed focused on SSH key persistence and file attribute manipulation. First chain removed .ssh directory, recreated it, injected SSH public key (RSA fragment: AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx). Second cmd attempted chattr -ia flags on .ssh directory for immutable/append-only attributes, followed by unrecognized "lockr" command. Attack pattern indicates automated compromise toolkit targeting SSH config for persistence. Cred list appears randomly generated. libssh version suggests automated exploitation framework deployment.
show less
Cred attack: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/Qq12345. Attacker used libssh 0.9.6 ...
show moreCred attack: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/Qq12345. Attacker used libssh 0.9.6 to exec cmds across two sessions. Attack chain: removed .ssh dir, created new .ssh dir, installed RSA pubkey AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4UKhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx for persistence. Secondary cmd: chattr -ia and lockr -ia on .ssh dir to prevent key removal/modification. Standard SSH key persistence + defensive hardening against remediation. Three creds suggest distributed scanning or stuffing. No malware dl or lateral movement observed. Duration ~4 sec across 3 sessions indicates rapid exploitation of compromised creds.
show less
Brute-force attempts on generic accts (345gs5662d34, jenkins) across 3 sessions using libssh 0.11.1. ...
show moreBrute-force attempts on generic accts (345gs5662d34, jenkins) across 3 sessions using libssh 0.11.1. Successful cmd exec targeting SSH key manipulation and persistence. Cmd chain: navigated home dir, removed .ssh, recreated it, injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx). Second cmd attempted disabling file immutability via chattr and lockr utility on .ssh dir to prevent removal of malicious keys. Attack pattern: automated credential spray + opportunistic persistence. libssh use indicates scripted/toolkit activity. No secondary payloads observed, but SSH key injection enables future unauthorized access bypassing password changes.
show less
tempted credential brute force using libssh 0.9.6. Three login attempts with credentials: 345gs5662d ...
show moretempted credential brute force using libssh 0.9.6. Three login attempts with credentials: 345gs5662d34/345gs5662d34, marmot/3245gs5662d34, marmot/marmot. Upon successful authentication, executed SSH key injection attack: removed existing .ssh directory and recreated it, then wrote truncated RSA public key to authorized_keys. Second command removed immutable file attributes from .ssh directory using chattr and executed lockr binary with immutable/append-only flags, likely attempting to lock down persistence mechanism or prevent removal. Attack pattern consistent with botnet initial access and SSH backdoor establishment. No payloads downloaded; persistence attempted through SSH key injection and file attribute manipulation. Rapid succession of commands (7 seconds total) suggests automated exploitation. libssh 0.9.6 client version indicates potential SSH client vulnerability exploitation or credential stuffing bot. No lateral movement observed within session window.
show less
conducted SSH brute force across 3 sessions using libssh_0.9.6, attempting credentials: 345gs5662d34 ...
show moreconducted SSH brute force across 3 sessions using libssh_0.9.6, attempting credentials: 345gs5662d34/345gs5662d34, mine/123, mine/3245gs5662d34. Post-exploitation payload involved SSH key injection for persistence. Executed destructive commands targeting SSH configuration: removed existing .ssh directory, recreated it, and injected RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for passwordless remote access. Second payload used chattr and lockr commands to remove file immutability flags (-ia), suggesting attempted privilege escalation or preparation for malware installation by removing OS-level file protections. Attack chain indicates credential enumeration followed by immediate persistence mechanism deployment via SSH key injection and file attribute manipulation to bypass security controls.
show less
Attack chain: Three credential attempts using libssh 0.9.6 scanner. Primary payload modifies SSH dir ...
show moreAttack chain: Three credential attempts using libssh 0.9.6 scanner. Primary payload modifies SSH directory permissions and injects RSA public key for persistence. Attack sequence: (1) removes ~/.ssh directory and recreates it, (2) echoes attacker-controlled RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for remote access persistence. Secondary commands attempt to lock down SSH directory via chattr -ia (immutable attribute removal) and reference to lockr utility, likely securing backdoor against future removal. Credentials: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/abcd@1234. libssh 0.9.6 indicates automated scanner/botnet activity targeting weak credentials. No malware downloads observed. Attack focused on SSH key-based persistence mechanism for sustained access. No lateral movement commands detected within session window.
show less
deployed SSH key persistence across two sessions using libssh library. Session 1 executed rm -rf .ss ...
show moredeployed SSH key persistence across two sessions using libssh library. Session 1 executed rm -rf .ssh && mkdir .ssh followed by echo command injecting RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for passwordless access. Session 2 attempted to modify file attributes using chattr -ia .ssh to prevent removal, followed by lockr command (likely typo for 'chattr' or unknown tool) to further lock down SSH directory. Credentials deploy/123321 and deploy/3245gs5662d34 were used across sessions. Attack chain demonstrates standard SSH key persistence technique combined with file locking to maintain access and resist remediation. No payload downloads or lateral movement observed. Persistence mechanism prioritized to ensure continued access despite credential changes.
show less
conducted single SSH session using Go SSH client with credential root/------fuck------. Executed rec ...
show moreconducted single SSH session using Go SSH client with credential root/------fuck------. Executed reconnaissance commands (uname -m, uname -s) to identify system architecture, then downloaded executable aarch64 from hxxp://195[.]177[.]94[.]72:3594/s/aarch64 to /tmp directory with chmod 777 permissions. Attack chain indicates staged malware delivery targeting ARM-based systems. No persistence mechanisms or lateral movement observed within session window, but successful download suggests secondary payload execution likely followed. Infrastructure at 195[.]177[.]94[.]72:3594 serves as malware distribution point. Attack pattern consistent with automated botnet reconnaissance and infection framework typical of Linux IoT/embedded device targeting campaigns.
show less
tempted 2 SSH sessions using Go-based SSH client (likely automated scanning/botnet). Single credenti ...
show moretempted 2 SSH sessions using Go-based SSH client (likely automated scanning/botnet). Single credential pair tested: root with password containing profanity string. Only reconnaissance command executed: uname -s -m to identify system architecture and kernel type. No malware deployed, no persistence mechanisms installed, no lateral movement observed, no data exfiltration. Attack pattern indicates lightweight automated probing rather than sophisticated intrusion attempt. Go SSH client suggests possible botnet activity or automated vulnerability scanner. Activity lasted approximately 7 seconds across both sessions with minimal command execution, characteristic of mass-scale credential stuffing or opportunistic scanning operations targeting default credentials.
show less
Brute-ForceSSH
By clicking “Accept all”, you agree to the storing of cookies on your device to remember preferences and
analyze site usage.
Read more
- Required to log into your AbuseIPDB account, and store these cookie preferences.