[nsp-sec] SSH scanning - we are now up over 1000

Nicholas Ianelli ni at centergate.net
Thu Aug 12 10:03:16 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Yeah, this is what was seen running on one of the hosts the other day:

# ps auxfw

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2072 576 ? Ss Apr19 0:02 init [3]
root 2 0.0 0.0 0 0 ? S< Apr19 0:01 [migration/0]
root 3 0.0 0.0 0 0 ? SN Apr19 0:00 [ksoftirqd/0]
...
apache 25462 0.0 0.0 1504 216 ? S 04:33 0:08 /tmp/dd_ssh 100 85.114.129.49 2
apache 12778 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
85.114.129.49 2
apache 12779 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
85.114.129.49 2
apache 12780 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
85.114.129.49 2

(many more instances, all with the same IP)


On 8/12/2010 6:35 AM, Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
> 
> Hi Donald,
> 
> Thanks for putting this together.
> 
> It does appear that whatever they are doing, the attack code is becoming
> more efficient
> 
> Incident            Attempts   Attackers
> 
> 8/12 22/tcp          7587050     32
> 8/11 22/tcp          8524225    875
> 8/10 22/tcp          6724109   1028
> 8/9  22/tcp          3645405    618
> 8/8  22/tcp          6176237    835
> 
> Note that even though the number of attackers from last night is back to
> my normal of around 30, the total number of attempts had not gone down
> significantly.
> 
> There are a lot less of them, but they are trying harder :-)
> 
> Regards,
> Joel
> 
> --On Wednesday, August 11, 2010 3:27 PM -0600 "Smith, Donald"
> <Donald.Smith at qwest.com> wrote:
> 
>> We asked for and received lots of additional information and binaries
>> for the dd_ssh/phpmyadmin issue.
>>
>> https://isc.sans.edu/diary.html?storyid=9370
>>
>> We have received some reports about a new SSH brute force script,
>> possibly named dd_ssh, that gets dropped onto web servers, most likely
>> via an older
>> phpmyadmin vulnerability.  If you have sample log entries from a
>> successful attack or can share a copy of dd_ssh, please let us know. 
>> The current DShield
>> figures do show a recent uptick in the number of sources that
>> participate in SSH scanning.
>>
>> Update 1735UTC: We have received several samples of dd_ssh, with MD5
>> 24dac6bab595cd9c3718ea16a3804009.  If your MD5 differs, please still
>> send us a copy.  It
>> also looks like the vulnerability exploited is indeed in phpmyadmin,
>> but seems to be the rather old CVE-2009-1151. Again, if your
>> information differs, please
>> let us know.  Thanks to all the ISC readers who responded so far!
>>
>> Update 2005UTC: Several readers have identified 91-193-157-206 as the
>> most likely original source of the scanning for phpmyadmin's
>> setup.exe. If successful,
>> two files named "vmsplice.txt" and "dd.txt" were downloaded from that
>> same IP. How exactly dd_ssh was installed is not yet clear, but most
>> readers found it
>> in /tmp after a POST request to phpmyadmin/scripts/setup.exe. A
>> running dd_ssh was seen to talk to a bunch of IPs over port 54509 and
>> 54510, this is most
>> likely the C&C connection.
>>
>> Update 2020UTC: We got it reasonably established that the
>> vulnerability exploited to drop the SSH scanner was indeed
>> CVE-2009-1151. C'mon, folks, if you
>> insist to have your phpmyadmin reachable from the Internet (why would
>> you?? Access control isn't hard!) then please at least upgrade to the
>> most current
>> version, which at this time is 2.11.10 or 3.3.5.
>>
>>
>> I have looked at a pcap and validated the control ports.
>> I have run a netflow report but not sure how much good it is without a
>> lot of filtering as the control ports (54509 and 54510) are legit
>> empherial ports:(
>>
>>
>> (coffee != sleep) & (!coffee == sleep)
>> Donald.Smith at qwest.com gcia
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>>> Kevin Oberman
>>> Sent: Tuesday, August 10, 2010 11:57 AM
>>> To: Joel Rosenblatt
>>> Cc: nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] SSH scanning - we are now up over 1000
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> > Date: Tue, 10 Aug 2010 10:02:15 -0400
>>> > From: Joel Rosenblatt <joel at columbia.edu>
>>> > Sender: nsp-security-bounces at puck.nether.net
>>> >
>>> > ----------- nsp-security Confidential --------
>>> >
>>> >
>>> > Hi,
>>> >
>>> > Looks like this is going to get worse before it gets worse
>>> ... list attached.
>>> >
>>> > Thanks,
>>> > Joel
>>> >
>>> > Joel Rosenblatt, Manager Network & Computer Security
>>> > Columbia Information Security Office (CISO)
>>> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>>> > http://www.columbia.edu/~joel
>>>
>>> This is the worst of these I've seen and it just keeps
>>> getting heavier.
>>>
>>> I have been seeing over 500 new unique source addresses daily from the
>>> start of this and the number is growing daily.  I only had 960 unique
>>> new addresses this morning, but I have rather careful vetting to avoid
>>> false positives as we feed this data into our RTBH and I don't want to
>>> block any legitimate access. I'm sure that if I looked at the data
>>> manually, theat I would have a number of added hits.
>>>
>>> BTW, all of the attempts log are reported to the Cymru
>>> brute-force list
>>> for inclusion in the daily reports.
>>> -- 
>>> R. Kevin Oberman, Network Engineer
>>> Energy Sciences Network (ESnet)
>>> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
>>> E-mail: oberman at es.net                        Phone: +1 510 486-8634
>>> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the
>>> nsp-security
>>> community. Confidentiality is essential for effective
>>> Internet security counter-measures.
>>> _______________________________________________
>>>
>>
>> This communication is the property of Qwest and may contain
>> confidential or
>> privileged information. Unauthorized use of this communication is
>> strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and
>> destroy
>> all copies of the communication and any attachments.
>>
> 
> 
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________


- -- 
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkxj/yQACgkQi10dJIBjZIDAFgCfXRfJCYUqyoPWeW8MiK55eno1
LEsAni9592iElSULgh9kBdT4VcxzuAR0
=WaDQ
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list