Hi, thanks for your comment. It wasn't really my objective to find the smoking gun and bring Huthos' operation crumbling to the ground. Like you, I don't definitively know that the operators of the website are the same people that broke into my honeypot without permission. It seems more likely than another totally-unrelated bad guy knowing where the file paths are to the Huthos provisioning scripts when directory listing isn't enabled, as well as other small nuances that I gathered while investigating this attack (the operators of the website posting videos of them exploiting Shellshock on their youtube channel, etc).

Your article definitively implies Huthos is behind this. If you're serious about not bringing them down, you should change the title and put a disclaimer at the top explaining the uncertainty.

Agreed - after doing a little more digging myself, it does seem likely that they are selling access to hacked machines - however, I'm sure there are other cases of attackers using legitimate scripts to provision their servers!

Also - has anyone seen how cheaply access is being sold for!? It's pennies!

Legitimate scripts that take a screenshot of your desktop every time you run bash?

I agree - if that's what the script was doing, then it would be dodgy. But that's not what the script does. `screenfetch` prints out system info in a pretty, ASCII-arty way, like this: http://i.imgur.com/TgaPHqa.png

    echo "screenfetch" >> .bashrc

just causes system info to be printed to the screen with every new bash session.

Oh, derp, I completely misread the github repo. :/

I guess if they were really doing this and you wanted to fuck with them, you could honeypot until a few clients are on, then start putting up illegal-in-Indonesia content (shouldn't be too hard). Might make them think twice.

Should have waited for customers for proof.

I bet it would actually run as a proxy/VPN to post spam on forums.