[nsp-sec] SSH scanning - we are now up over 1000

Kevin Oberman oberman at es.net
Thu Aug 12 10:12:01 EDT 2010 

> Date: Thu, 12 Aug 2010 06:35:19 -0400
> From: Joel Rosenblatt <joel at columbia.edu>
> 
> Hi Donald,
> 
> Thanks for putting this together.
> 
> It does appear that whatever they are doing, the attack code is becoming more efficient
> 
> Incident            Attempts   Attackers
> 
> 8/12 22/tcp          7587050     32
> 8/11 22/tcp          8524225    875
> 8/10 22/tcp          6724109   1028
> 8/9  22/tcp          3645405    618
> 8/8  22/tcp          6176237    835
> 
> Note that even though the number of attackers from last night is back to my normal of around 30, the total number of attempts had not gone down significantly.
> 
> There are a lot less of them, but they are trying harder :-)
> 
> Regards,
> Joel

Looks like this round is over. At 9:10 UTC this morning all activity
suddenly stopped. Guess they may have finished running through their
list of accounts. The last one was 'wsmith'. Since that time, no
attempts at all
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

> 
> --On Wednesday, August 11, 2010 3:27 PM -0600 "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> 
> > We asked for and received lots of additional information and binaries for the dd_ssh/phpmyadmin issue.
> >
> > https://isc.sans.edu/diary.html?storyid=9370
> >
> > We have received some reports about a new SSH brute force script, possibly named dd_ssh, that gets dropped onto web servers, most likely via an older
> > phpmyadmin vulnerability.  If you have sample log entries from a successful attack or can share a copy of dd_ssh, please let us know.  The current DShield
> > figures do show a recent uptick in the number of sources that participate in SSH scanning.
> >
> > Update 1735UTC: We have received several samples of dd_ssh, with MD5 24dac6bab595cd9c3718ea16a3804009.  If your MD5 differs, please still send us a copy.  It
> > also looks like the vulnerability exploited is indeed in phpmyadmin, but seems to be the rather old CVE-2009-1151. Again, if your information differs, please
> > let us know.  Thanks to all the ISC readers who responded so far!
> >
> > Update 2005UTC: Several readers have identified 91-193-157-206 as the most likely original source of the scanning for phpmyadmin's setup.exe. If successful,
> > two files named "vmsplice.txt" and "dd.txt" were downloaded from that same IP. How exactly dd_ssh was installed is not yet clear, but most readers found it
> > in /tmp after a POST request to phpmyadmin/scripts/setup.exe. A running dd_ssh was seen to talk to a bunch of IPs over port 54509 and 54510, this is most
> > likely the C&C connection.
> >
> > Update 2020UTC: We got it reasonably established that the vulnerability exploited to drop the SSH scanner was indeed CVE-2009-1151. C'mon, folks, if you
> > insist to have your phpmyadmin reachable from the Internet (why would you?? Access control isn't hard!) then please at least upgrade to the most current
> > version, which at this time is 2.11.10 or 3.3.5.
> >
> >
> > I have looked at a pcap and validated the control ports.
> > I have run a netflow report but not sure how much good it is without a lot of filtering as the control ports (54509 and 54510) are legit empherial ports:(
> >
> >
> > (coffee != sleep) & (!coffee == sleep)
> > Donald.Smith at qwest.com gcia
> >
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >> Kevin Oberman
> >> Sent: Tuesday, August 10, 2010 11:57 AM
> >> To: Joel Rosenblatt
> >> Cc: nsp-security at puck.nether.net
> >> Subject: Re: [nsp-sec] SSH scanning - we are now up over 1000
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >> > Date: Tue, 10 Aug 2010 10:02:15 -0400
> >> > From: Joel Rosenblatt <joel at columbia.edu>
> >> > Sender: nsp-security-bounces at puck.nether.net
> >> >
> >> > ----------- nsp-security Confidential --------
> >> >
> >> >
> >> > Hi,
> >> >
> >> > Looks like this is going to get worse before it gets worse
> >> ... list attached.
> >> >
> >> > Thanks,
> >> > Joel
> >> >
> >> > Joel Rosenblatt, Manager Network & Computer Security
> >> > Columbia Information Security Office (CISO)
> >> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> >> > http://www.columbia.edu/~joel
> >>
> >> This is the worst of these I've seen and it just keeps
> >> getting heavier.
> >>
> >> I have been seeing over 500 new unique source addresses daily from the
> >> start of this and the number is growing daily.  I only had 960 unique
> >> new addresses this morning, but I have rather careful vetting to avoid
> >> false positives as we feed this data into our RTBH and I don't want to
> >> block any legitimate access. I'm sure that if I looked at the data
> >> manually, theat I would have a number of added hits.
> >>
> >> BTW, all of the attempts log are reported to the Cymru
> >> brute-force list
> >> for inclusion in the daily reports.
> >> --
> >> R. Kevin Oberman, Network Engineer
> >> Energy Sciences Network (ESnet)
> >> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> >> E-mail: oberman at es.net                        Phone: +1 510 486-8634
> >> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the
> >> nsp-security
> >> community. Confidentiality is essential for effective
> >> Internet security counter-measures.
> >> _______________________________________________
> >>
> >
> > This communication is the property of Qwest and may contain confidential or
> > privileged information. Unauthorized use of this communication is strictly
> > prohibited and may be unlawful.  If you have received this communication
> > in error, please immediately notify the sender by reply e-mail and destroy
> > all copies of the communication and any attachments.
> >

More information about the nsp-security mailing list