We’ve found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband). The username and password combination being used is root / root, and they are executing all of the following ssh commands:
Article Link: https://isc.sans.edu/diary/rss/23762