As you can see on the image, my sensor was quite busy around Christmas, there were massive amounts of korgo scanning, exploiting and uploading itself to the poor box.
To be honest, we have no idea why this happened, per default the box handles about 2-20 connections simultaneously, during these days there were peaks of more than 200 connections, and actually … we don't know why.
Spent some time crawling the web to check if other people noticed the peak too, but isc.sans.org claimed the weekends around Christmas were quite silent, and nobody else reported any abnormal amounts of scanning activity around Christmas.
But, for now it's over, and maybe someone else noticed the peak and wants to drop me a line. The files spreading that active are:
x.exe a0139d7ad8c6d91f13b21e85186331c1 x.exe 7f60162c2c0bd2cc7531e51328e98290 (csend file without name) 042774a2b7784ee0f7462e3ce721ec0f
You may want to grep your logged_submission logfile for the hashes.
Nepenthes 0.1.5 got accepted in FreeBSD Ports.
Thanks to the ports maintainer, and we encourage all maintainers/packagers to tell us what they had to change to get it running on their operating system/distribution, so we can at least think about incoperating their changes into the normal package.
We recently saw the quite old rcp.exe getting used to transferr viri.
We will add support for rcp, but currently we found no doc about it, no rfc, no specs,
resolves to the successor scp with me, the source is more scary than documenting …
So if you got any docs about the good old rpc, feel free to mail us, we need it.