[nsp-sec] SSH scanners on the rise
Jeff Wolfe
wolfe at ems.psu.edu
Mon Aug 9 11:57:51 EDT 2010
On 8/9/10 11:19 AM, Thomas Hungenberg wrote:
>> Yeah, sounds familiar..
>>
>> In case it's helpful to anyone, we had 2 incidents of http/phpmyadmin
>> attempts coming from 91.193.157.206. I looked at it in a sandbox, If it
>> finds a vulnerable version of phpMyadmin, it downloads the dd_ssh php
>> script from that same IP via ftp.
>>
>> The PHP container has a linux executable that appears to be the ssh
>> scanner. Once installed and executed, the copy of dd_ssh we observed
>> tried to contact an apparent C&C at 85.214.117.64 on 54509.
>
> Is this also 24dac6bab595cd9c3718ea16a3804009 ?
Yep.. Same MD5.
The FTP site at 91.193.157.206 seems to still be operating. It's also
now throwing a C&C of 85.114.129.49.
-JEff
More information about the nsp-security
mailing list