Kippo: Intruder caught in action

From the video, I can see the attacker’s goal was to implement the downloaded tools. Package called flood.tgz has been downloaded and decompressed to local drive.

The attacker tried to executed one of the tools called “httpd”. However it failed. After realized the hacked server do not have enough capability to run the tool, the attacker have executed rm -rf to the folder.

To get more further in my analysis, I have ran Zerowine ( to analyze the program called “httpd” form the attacker. I have only use strings feature on zerowine to see whats inside the “httpd”.

From the video you can see a strings came from the “httpd”. Its so obvious the attacker wants to run some sort of bot. The bot will connect to the selected server and will get control from the master once the bot successfully propagated.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s