Hudak’s Honeypot (Part 2)

This is Part 2 in a series. Part 1 is here. During my triage I noticed a suspicious file /var/tmp/dk86. It’s a 64-bit Linux ELF executable, owned by user “daemon”, created 2021-11…

righteousit.wordpress.com

Tyler Hudak · Dec 21, 2021 · 4:06 PM UTC

Tyler Hudak @SecShoggoth

21 Dec 2021

Also you are correct - the Mozi files were created by me. I just forgot. 🤪

Hal Pomeranz · Dec 21, 2021 · 4:12 PM UTC

Hal Pomeranz · Dec 21, 2021 · 4:12 PM UTC

Hal Pomeranz @hal_pomeranz

21 Dec 2021

Replying to @SecShoggoth @CraigHRowland

Yeah, it didn’t seem likely to me that an attacker would be installing the UPX unpacker to look at the binary.

Dec 21, 2021 · 4:12 PM UTC

Tyler Hudak · Dec 21, 2021 · 4:32 PM UTC

Tyler Hudak @SecShoggoth

21 Dec 2021

Replying to @hal_pomeranz @CraigHRowland

LOL. As you can see, I never initially meant for the honeypot to be released publicly so didn't keep it as pristine as I could have. :)