Credential attack using "root/---fuck_you----" via Go SSH client. Single command execution: uname -s ...
show moreCredential attack using "root/---fuck_you----" via Go SSH client. Single command execution: uname -s -m for system enumeration. No malware, persistence mechanisms, lateral movement, or data exfiltration observed. Attack duration approximately 10 seconds across 2 sessions. Appears to be initial reconnaissance probing.
show less
Weak creds exploited for SSH access: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/@qwer2025. ...
show moreWeak creds exploited for SSH access: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/@qwer2025. Attacker removed .ssh dir and recreated with RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) injected into authorized_keys for persistence. Used chattr/lockr cmds to modify inode attrs on .ssh dir, blocking deletion/modification even by root. libssh 0.9.6 client indicates automated framework. Pubkey injection + filesystem attr locking = sophisticated persistence designed to survive standard remediation. Attack completed <6sec, consistent with automated spraying. No malware dl observed. Demonstrates Unix permission knowledge and attr manipulation for anti-forensics.
show less
exploited weak credentials (azureuser/12345, azureuser/3245gs5662d34, 345gs5662d34/345gs5662d34) acr ...
show moreexploited weak credentials (azureuser/12345, azureuser/3245gs5662d34, 345gs5662d34/345gs5662d34) across 3 SSH sessions within 9 seconds using libssh 0.9.6. Primary objective was SSH key persistence: removed existing .ssh directory, recreated it, and injected RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) into authorized_keys for passwordless access. Secondary commands attempted to disable file attribute changes (chattr -ia .ssh) and lock permissions, likely to prevent admin removal of backdoor key. Attack pattern indicates automated credential stuffing followed by systematic persistence deployment. No downloads or lateral movement observed. Credentials suggest targeting Azure cloud instances or administrative accounts.
show less
performed credential stuffing across 3 sessions using libssh_0.11.1, attempting credentials: 345gs56 ...
show moreperformed credential stuffing across 3 sessions using libssh_0.11.1, attempting credentials: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/Ds@123456. Post-authentication, executed two-stage persistence mechanism: first command removed existing .ssh directory, recreated it, and injected malicious RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistent key-based access. Second command changed filesystem attributes on .ssh directory using chattr -ia (immutable and append-only flags), then attempted to invoke lockr utility (likely custom persistence tool or typo for standard utilities) with identical flags to prevent future removal. Attack demonstrates knowledge of SSH hardening evasion and host-level persistence through filesystem attribute manipulation combined with authorized_keys injection. Full RSA public key recovered enables tracking if key reused across other targets.
show less
Credential stuffing on Strapi CMS. Three cred pairs attempted: 345gs5662d34/345gs5662d34, strapi/324 ...
show moreCredential stuffing on Strapi CMS. Three cred pairs attempted: 345gs5662d34/345gs5662d34, strapi/3245gs5662d34, strapi/strapipass. libssh 0.9.6 client used across three sessions in nine seconds. Post-auth: SSH persistence via .ssh manipulation, injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4UKhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx). Commands: removed .ssh folder, recreated it with RSA key. Executed chattr -ia and lockr -ia to lock down SSH directory, suggesting defensive behavior or lateral movement prep. No malware dl, exfiltration, proxy/tunnel creation. Attack chain: brute force > SSH key persistence > lock directory. Standard Strapi exploitation for interactive shell access. Rapid automated execution indicates script-driven attack.
show less
Credential brute force via libssh 0.9.6 across 3 sessions in 10 seconds. Creds tested: 345gs5662d34/ ...
show moreCredential brute force via libssh 0.9.6 across 3 sessions in 10 seconds. Creds tested: 345gs5662d34/345gs5662d34, root/3245gs5662d34, root/asdf1234!@#$. Two cmd chains executed: (1) Deleted .ssh folder, recreated it, injected RSA public key (AAAAB3NzaC1yc2EAAA...) into authorized_keys for SSH persistence. (2) Exec chattr -ia on .ssh directory to set immutable/append-only flags, preventing key deletion. Referenced "lockr" tool with -ia flags. Attack pattern: automated scanning + SSH key persistence + anti-forensic measures to restrict admin removal of compromised creds. Rapid exploitation lasting ~10 sec, consistent with scripted methodology. No malware dl observed but successful execution establishes persistent SSH backdoor with restricted admin capabilities.
show less
established 3 SSH sessions using credentials ak/3245gs5662d34 and ak/ak@123 via libssh 0.11.1 client ...
show moreestablished 3 SSH sessions using credentials ak/3245gs5662d34 and ak/ak@123 via libssh 0.11.1 client. Primary attack chain involved SSH key injection for persistence. First command removed existing .ssh directory, recreated it, and injected public RSA key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx...) into authorized_keys for passwordless remote access. Second command attempted to modify file attributes using chattr -ia to prevent key removal, followed by invocation of "lockr" utility (likely typo or non-standard tool attempting similar file locking). Attack demonstrates SSH persistence technique targeting root or privileged account. No malware downloads observed. No lateral movement or port forwarding commands detected. Credentials suggest automated credential stuffing or dictionary attack pattern (generic username with weak password variants).
show less
Brute force attack across 3 credential pairs using libssh 0.9.6. Successfully authenticated with at ...
show moreBrute force attack across 3 credential pairs using libssh 0.9.6. Successfully authenticated with at least one cred set. SSH key injection executed: removed .ssh dir, recreated it, implanted RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistent access. chattr -ia cmd issued on .ssh dir to prevent deletion. Lockr cmd attempted (malformed). Attack chain indicates persistence setup for unauthorized access maintenance and potential privilege escalation/lateral movement. Cred pattern (alphanumeric strings like "345gs5662d34") suggests dictionary/automated attack. Activity completed within 4 seconds across 3 sessions, typical of automated scanning. SSH key injection with immutability flags prioritized for persistence.
show less
conducted credential stuffing using libssh 0.9.6 across three login attempts, succeeding with swapna ...
show moreconducted credential stuffing using libssh 0.9.6 across three login attempts, succeeding with swapna/swapna123. Initial access resulted in SSH directory manipulation: removed ~/.ssh, recreated it, and injected RSA public key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for persistence via unauthorized SSH key addition. Second command attempted to lock down the .ssh directory using chattr -ia to prevent deletion and modifications, followed by an unrecognized command (lockr -ia .ssh) that may be a typo or custom utility. Attack chain demonstrates classic persistence pattern: credential compromise, authorized_keys manipulation, and filesystem attribute hardening to prevent remediation. Low sophistication but effective for maintaining persistent backdoor access. No malware downloads or lateral movement observed during session window, though SSH key injection enables future passwordless access.
show less
Credential brute force via libssh_0.11.1 targeting creds: 345gs5662d34/345gs5662d34, root/12qwaszX, ...
show moreCredential brute force via libssh_0.11.1 targeting creds: 345gs5662d34/345gs5662d34, root/12qwaszX, root/3245gs5662d34. Attack chain: removed .ssh dir, recreated it, injected RSA pub key (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx) for passwordless auth. Used chattr -ia on .ssh dir to set immutable/append-only flags preventing deletion. Invoked lockr cmd with identical flags for additional protection. Goal: persistent SSH access resilient against incident response deletion attempts. Automated exploitation focused on persistence mechanisms.
show less
Reconnaissance and credential compromise activity. Attacker used libssh client to enumerate system r ...
show moreReconnaissance and credential compromise activity. Attacker used libssh client to enumerate system resources (CPU, memory, disk) via Linux inspection cmds. Password change executed: echo pipe to passwd utility, new cred w90mcS3i8SxG. SSH key injection: removed .ssh dir, created new one, injected RSA pubkey (AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXx...). Cmds included chmod modifications (.ssh perms hardened), crontab enum, file attr manipulation (chattr, lockr) suggesting intent to prevent cleanup of injected SSH keys. Pattern indicates post-compromise persistence: passwordless SSH access, prevent authorized_keys removal. Three sessions within ~2 min window suggest automated scanning or scripted exploit. No malware dl or lateral movement observed.
show less
Go-based SSH client attempted exploitation with three sessions over 8 minutes using weak credentials ...
show moreGo-based SSH client attempted exploitation with three sessions over 8 minutes using weak credentials: sol/123, sol/sol/1234, and ubuntu/ubuntu. All three credentials achieved successful authentication. Post-authentication reconnaissance executed: system enumeration via uname with full output flags (system, version, nodename, release, machine), GPU detection through lspci VGA filtering, and uptime query. No malware downloads, persistence mechanisms, lateral movement, or port forwarding observed. Attack pattern indicates automated reconnaissance scanning for system fingerprinting and resource profiling, likely probe activity for victim classification before staged payload delivery or exploitation. No command injection attempts or shell metacharacters detected in executed commands. Sessions terminated after reconnaissance phase without further activity.
show less
Brute-ForceSSH
By clicking “Accept all”, you agree to the storing of cookies on your device to remember preferences and
analyze site usage.
Read more
- Required to log into your AbuseIPDB account, and store these cookie preferences.