[nsp-sec] SSH scanners on the rise
Jeff Wolfe
wolfe at ems.psu.edu
Mon Aug 9 10:52:53 EDT 2010
On 8/9/10 8:12 AM, Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
> Joel Rosenblatt schrieb:
>> Attached is the list of scanners from last night (about 835) The number
>> has been increasing by about 200 for the last 4 days.
>
> I recently heard of some web server compromises via vulnerabilities in phpMyAdmin
> where the attackers installed '/tmp/dd_ssh' (MD5 24dac6bab595cd9c3718ea16a3804009)
> to launch SSH bruteforce attacks.
>
> Looks similar to:
> <http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11719.html>
Yeah, sounds familiar..
In case it's helpful to anyone, we had 2 incidents of http/phpmyadmin
attempts coming from 91.193.157.206. I looked at it in a sandbox, If it
finds a vulnerable version of phpMyadmin, it downloads the dd_ssh php
script from that same IP via ftp.
The PHP container has a linux executable that appears to be the ssh
scanner. Once installed and executed, the copy of dd_ssh we observed
tried to contact an apparent C&C at 85.214.117.64 on 54509.
-JEff
--------------------------------------------------------
Penn State - College of Earth and Mineral Sciences
More information about the nsp-security
mailing list