[nsp-sec] fibre1 -> AS24961, upstreams AS 3209, 3320, 3356, 10310, 13237 was SSH scanning - we are now up over 1000
Smith, Donald
Donald.Smith at qwest.com
Thu Aug 12 11:12:35 EDT 2010
Ok so that controller has to have a large list of vulnerable systems right?
It would also have the dictionary but that is less interesting to me then the vulnerable account database.
Looks like it is in a colo facility.
Any chance fibre1 is here and can get a hold of that system?
If not can one of the upstreams find a clue stick and talk with them?
Anything I shared here is public and can be shared.
$ whois 85.114.129.49
% Information related to '85.114.128.0 - 85.114.135.255'
inetnum: 85.114.128.0 - 85.114.135.255
netname: FASTIT-DE-DUS1-COLO4
descr: fast IT Colocation
role: fast IT Operations Team
address: myLoc managed IT AG
address: Am Gatherhof 44
address: 40472 Duesseldorf
address: DE
abuse-mailbox: abuse at fastIT.net
phone: +49 211 171659 0
fax-no: +49 211 171659 77
remarks: +---------------------------------------------------+
remarks: | Please see FONE-RIPE for operational contacts in |
remarks: | case of network related issues! |
remarks: +---------------------------------------------------+
admin-c: DTH
tech-c: DTH
nic-hdl: FIO-RIPE
mnt-by: FIBRE1-MNT
source: RIPE # Filtered
role: fibre one NOC
address: fibre one networks GmbH
address: Network Operations & Services
address: Am Gatherhof 44
address: 40472 Duesseldorf
address: Germany
abuse-mailbox: abuse at fibre1.net
phone: +49 211 171659 40
fax-no: +49 211 171659 49
remarks: +---------------------------------------------------+
remarks: | 24/7 NOC email: noc _at_ fibre1.net |
remarks: | 24/7 NOC phone: +49 700 00 327848 |
remarks: | Please direct absue issues ONLY |
remarks: | to abuse _at_ fibre1.net |
remarks: | Complaints to other adresses will be deemed |
remarks: | as spam and not further processed! |
remarks: +---------------------------------------------------+
nic-hdl: FONE-RIPE
mnt-by: FIBRE1-MNT
source: RIPE # Filtered
% Information related to '85.114.128.0/19AS24961'
route: 85.114.128.0/19
descr: DE-FIBRE1-85-114-128-0---slash-19
origin: AS24961
mnt-by: FIBRE1-MNT
source: RIPE # Filtered
% Information related to '85.114.128.0/20AS24961'
route: 85.114.128.0/20
descr: DE-FIBRE1-85-114-128-0---slash-20
origin: AS24961
mnt-by: FIBRE1-MNT
source: RIPE # Filtered
$ whois -h upstream-whois.cymru.com 85.114.129.49
PEER_AS | IP | AS Name
3209 | 85.114.129.49 | VODANET International IP-Backbone of Vodafone
3320 | 85.114.129.49 | DTAG Deutsche Telekom AG
3356 | 85.114.129.49 | LEVEL3 Level 3 Communications
10310 | 85.114.129.49 | YAHOO-1 - Yahoo!
13237 | 85.114.129.49 | LAMBDANET-AS European Backbone of LambdaNet
Sharing: No permission required.
This is public share as desired.
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: Nicholas Ianelli [mailto:ni at centergate.net]
> Sent: Thursday, August 12, 2010 8:03 AM
> To: Joel Rosenblatt
> Cc: Smith, Donald; 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] SSH scanning - we are now up over 1000
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Yeah, this is what was seen running on one of the hosts the other day:
>
> # ps auxfw
>
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 1 0.0 0.0 2072 576 ? Ss Apr19 0:02 init [3]
> root 2 0.0 0.0 0 0 ? S< Apr19 0:01 [migration/0]
> root 3 0.0 0.0 0 0 ? SN Apr19 0:00 [ksoftirqd/0]
> ...
> apache 25462 0.0 0.0 1504 216 ? S 04:33 0:08 /tmp/dd_ssh 100
> 85.114.129.49 2
> apache 12778 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
> 85.114.129.49 2
> apache 12779 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
> 85.114.129.49 2
> apache 12780 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
> 85.114.129.49 2
>
> (many more instances, all with the same IP)
>
>
> On 8/12/2010 6:35 AM, Joel Rosenblatt wrote:
> > ----------- nsp-security Confidential --------
> >
> > Hi Donald,
Actually fellow handler DanielW did most the work I just got the ball rolling:)
> >
> > Thanks for putting this together.
> >
> > It does appear that whatever they are doing, the attack
> code is becoming
> > more efficient
> >
> > Incident Attempts Attackers
> >
> > 8/12 22/tcp 7587050 32
> > 8/11 22/tcp 8524225 875
> > 8/10 22/tcp 6724109 1028
> > 8/9 22/tcp 3645405 618
> > 8/8 22/tcp 6176237 835
> >
> > Note that even though the number of attackers from last
> night is back to
> > my normal of around 30, the total number of attempts had
> not gone down
> > significantly.
> >
> > There are a lot less of them, but they are trying harder :-)
> >
> > Regards,
> > Joel
> >
> > --On Wednesday, August 11, 2010 3:27 PM -0600 "Smith, Donald"
> > <Donald.Smith at qwest.com> wrote:
> >
> >> We asked for and received lots of additional information
> and binaries
> >> for the dd_ssh/phpmyadmin issue.
> >>
> >> https://isc.sans.edu/diary.html?storyid=9370
> >>
> >> We have received some reports about a new SSH brute force script,
> >> possibly named dd_ssh, that gets dropped onto web servers,
> most likely
> >> via an older
> >> phpmyadmin vulnerability. If you have sample log entries from a
> >> successful attack or can share a copy of dd_ssh, please
> let us know.
> >> The current DShield
> >> figures do show a recent uptick in the number of sources that
> >> participate in SSH scanning.
> >>
> >> Update 1735UTC: We have received several samples of
> dd_ssh, with MD5
> >> 24dac6bab595cd9c3718ea16a3804009. If your MD5 differs,
> please still
> >> send us a copy. It
> >> also looks like the vulnerability exploited is indeed in
> phpmyadmin,
> >> but seems to be the rather old CVE-2009-1151. Again, if your
> >> information differs, please
> >> let us know. Thanks to all the ISC readers who responded so far!
> >>
> >> Update 2005UTC: Several readers have identified
> 91-193-157-206 as the
> >> most likely original source of the scanning for phpmyadmin's
> >> setup.exe. If successful,
> >> two files named "vmsplice.txt" and "dd.txt" were
> downloaded from that
> >> same IP. How exactly dd_ssh was installed is not yet
> clear, but most
> >> readers found it
> >> in /tmp after a POST request to phpmyadmin/scripts/setup.exe. A
> >> running dd_ssh was seen to talk to a bunch of IPs over
> port 54509 and
> >> 54510, this is most
> >> likely the C&C connection.
> >>
> >> Update 2020UTC: We got it reasonably established that the
> >> vulnerability exploited to drop the SSH scanner was indeed
> >> CVE-2009-1151. C'mon, folks, if you
> >> insist to have your phpmyadmin reachable from the Internet
> (why would
> >> you?? Access control isn't hard!) then please at least
> upgrade to the
> >> most current
> >> version, which at this time is 2.11.10 or 3.3.5.
> >>
> >>
> >> I have looked at a pcap and validated the control ports.
> >> I have run a netflow report but not sure how much good it
> is without a
> >> lot of filtering as the control ports (54509 and 54510) are legit
> >> empherial ports:(
> >>
> >>
> >> (coffee != sleep) & (!coffee == sleep)
> >> Donald.Smith at qwest.com gcia
> >>
> >>> -----Original Message-----
> >>> From: nsp-security-bounces at puck.nether.net
> >>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >>> Kevin Oberman
> >>> Sent: Tuesday, August 10, 2010 11:57 AM
> >>> To: Joel Rosenblatt
> >>> Cc: nsp-security at puck.nether.net
> >>> Subject: Re: [nsp-sec] SSH scanning - we are now up over 1000
> >>>
> >>> ----------- nsp-security Confidential --------
> >>>
> >>> > Date: Tue, 10 Aug 2010 10:02:15 -0400
> >>> > From: Joel Rosenblatt <joel at columbia.edu>
> >>> > Sender: nsp-security-bounces at puck.nether.net
> >>> >
> >>> > ----------- nsp-security Confidential --------
> >>> >
> >>> >
> >>> > Hi,
> >>> >
> >>> > Looks like this is going to get worse before it gets worse
> >>> ... list attached.
> >>> >
> >>> > Thanks,
> >>> > Joel
> >>> >
> >>> > Joel Rosenblatt, Manager Network & Computer Security
> >>> > Columbia Information Security Office (CISO)
> >>> > Columbia University, 612 W 115th Street, NY, NY 10025 /
> 212 854 3033
> >>> > http://www.columbia.edu/~joel
> >>>
> >>> This is the worst of these I've seen and it just keeps
> >>> getting heavier.
> >>>
> >>> I have been seeing over 500 new unique source addresses
> daily from the
> >>> start of this and the number is growing daily. I only
> had 960 unique
> >>> new addresses this morning, but I have rather careful
> vetting to avoid
> >>> false positives as we feed this data into our RTBH and I
> don't want to
> >>> block any legitimate access. I'm sure that if I looked at the data
> >>> manually, theat I would have a number of added hits.
> >>>
> >>> BTW, all of the attempts log are reported to the Cymru
> >>> brute-force list
> >>> for inclusion in the daily reports.
> >>> --
> >>> R. Kevin Oberman, Network Engineer
> >>> Energy Sciences Network (ESnet)
> >>> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> >>> E-mail: oberman at es.net Phone: +1
> 510 486-8634
> >>> Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
> >>>
> >>>
> >>> _______________________________________________
> >>> nsp-security mailing list
> >>> nsp-security at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/nsp-security
> >>>
> >>> Please do not Forward, CC, or BCC this E-mail outside of the
> >>> nsp-security
> >>> community. Confidentiality is essential for effective
> >>> Internet security counter-measures.
> >>> _______________________________________________
> >>>
> >>
> >> This communication is the property of Qwest and may contain
> >> confidential or
> >> privileged information. Unauthorized use of this communication is
> >> strictly
> >> prohibited and may be unlawful. If you have received this
> communication
> >> in error, please immediately notify the sender by reply e-mail and
> >> destroy
> >> all copies of the communication and any attachments.
> >>
> >
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > community. Confidentiality is essential for effective
> Internet security
> > counter-measures.
> > _______________________________________________
>
>
> - --
> Nicholas Ianelli: Neustar, Inc.
> Security Operations
>
> 46000 Center Oak Plaza Sterling, VA 20166
> +1 571.434.4691 - http://www.neustar.biz
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
>
> iEYEARECAAYFAkxj/yQACgkQi10dJIBjZIDAFgCfXRfJCYUqyoPWeW8MiK55eno1
> LEsAni9592iElSULgh9kBdT4VcxzuAR0
> =WaDQ
> -----END PGP SIGNATURE-----
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list