What You Get After Running an SSH Honeypot for 30 Days
For the 345gs5662d34 user, according to the Aalborg University of Denmark Research this could be the default credential for a Polycom CX600 IP telephone
The execution of a mysterious script, ./oinasf, followed by attempts to read and display the system’s executable content, indicates a probing strategy for vulnerabilities or valuable information.
The use of /ip cloud print suggests that bots target MikroTik routers to access or disrupt cloud-based services, while uname -s -m provides them with essential details about the operating system and machine architecture, valuable for crafting further actions tailored to the system’s specifics.
They emphasize the bot’s preference for direct manipulation and sustained access highlighting the critical need for robust defenses against such common yet potentially devastating tactics.
This miner would simply create a cron job that would delete everything on the .ssh folder and add a single ssh key and lock other users out.
