While collecting stats from last month we did a nice discovery in the ssh logs from kippo.
( we talk about gb.sh )
It first came up at our splunk dashboard, and while checking the link it was still online. Curious to find out more about the file we started to dig into it.
We learned that the shell script is actually downloading another 6 files that are pre compiled and will be given executable rights, as last they will be started.