[nsp-sec] SSH scanners on the rise
Thomas Hungenberg
th.lab at hungenberg.net
Mon Aug 9 11:19:32 EDT 2010
Jeff Wolfe schrieb:
> ----------- nsp-security Confidential --------
>
>
>
> On 8/9/10 8:12 AM, Thomas Hungenberg wrote:
>> ----------- nsp-security Confidential --------
>>
>> Joel Rosenblatt schrieb:
>>> Attached is the list of scanners from last night (about 835) The number
>>> has been increasing by about 200 for the last 4 days.
>>
>> I recently heard of some web server compromises via vulnerabilities in
>> phpMyAdmin
>> where the attackers installed '/tmp/dd_ssh' (MD5
>> 24dac6bab595cd9c3718ea16a3804009)
>> to launch SSH bruteforce attacks.
>>
>> Looks similar to:
>> <http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11719.html>
>
>
> Yeah, sounds familiar..
>
> In case it's helpful to anyone, we had 2 incidents of http/phpmyadmin
> attempts coming from 91.193.157.206. I looked at it in a sandbox, If it
> finds a vulnerable version of phpMyadmin, it downloads the dd_ssh php
> script from that same IP via ftp.
>
> The PHP container has a linux executable that appears to be the ssh
> scanner. Once installed and executed, the copy of dd_ssh we observed
> tried to contact an apparent C&C at 85.214.117.64 on 54509.
Is this also 24dac6bab595cd9c3718ea16a3804009 ?
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list