[nsp-sec] SSH scanners on the rise
Stephen Gill
gillsr at cymru.com
Mon Aug 9 14:30:49 EDT 2010
>> On 8/9/10 8:12 AM, Thomas Hungenberg wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> Joel Rosenblatt schrieb:
>>>> Attached is the list of scanners from last night (about 835) The number
>>>> has been increasing by about 200 for the last 4 days.
>>>
>>> I recently heard of some web server compromises via vulnerabilities in
>>> phpMyAdmin
>>> where the attackers installed '/tmp/dd_ssh' (MD5
>>> 24dac6bab595cd9c3718ea16a3804009)
>>> to launch SSH bruteforce attacks.
>>>
>>> Looks similar to:
>>> <http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11719.html>
>>
>>
>> Yeah, sounds familiar..
>>
>> In case it's helpful to anyone, we had 2 incidents of http/phpmyadmin
>> attempts coming from 91.193.157.206. I looked at it in a sandbox, If it
>> finds a vulnerable version of phpMyadmin, it downloads the dd_ssh php
>> script from that same IP via ftp.
>>
>> The PHP container has a linux executable that appears to be the ssh
>> scanner. Once installed and executed, the copy of dd_ssh we observed
>> tried to contact an apparent C&C at 85.214.117.64 on 54509.
>
> Is this also 24dac6bab595cd9c3718ea16a3804009 ?
The other one that heads to: 85.114.129.49 2
MD5 (dd.txt) = bfe5f79c524f8279c64854015164034a
MD5 (dd_ssh) = 24dac6bab595cd9c3718ea16a3804009
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list