[nsp-sec] fibre1 -> AS24961, upstreams AS 3209, 3320, 3356, 10310, 13237 was SSH scanning - we are now up over 1000
Joel Rosenblatt
joel at columbia.edu
Thu Aug 12 11:54:22 EDT 2010
When folks are sharpening up their clue sticks, maybe someone can use them on our big scanners today asn's > 3758 9808 24737
# of scans
1267 | 151.64.139.197 | 22/tcp 2010-08-11 10:30:00 GMT-0400 2010-08-11 10:30:00 GMT-0400 254 | ASN-INFOSTRADA Infostrada S.p.A.
2042 | 202.185.8.6 | 22/tcp 2010-08-11 13:20:00 GMT-0400 2010-08-11 13:20:00 GMT-0400 1243 | ERX-JARING JARING Communications Sdn Bhd.
3352 | 212.170.183.82 | 22/tcp 2010-08-11 17:20:00 GMT-0400 2010-08-11 17:20:00 GMT-0400 460 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3462 | 210.242.193.30 | 22/tcp 2010-08-11 14:50:00 GMT-0400 2010-08-11 15:10:00 GMT-0400 19991 | HINET Data Communication Business Group
3462 | 220.128.167.249 | 22/tcp 2010-08-11 20:45:00 GMT-0400 2010-08-11 20:45:00 GMT-0400 10989 | HINET Data Communication Business Group
3758 | 203.126.53.110 | 22/tcp 2010-08-11 08:30:00 GMT-0400 2010-08-11 14:00:00 GMT-0400 4338763 | ERX-SINGNET SingNet
4134 | 121.10.133.226 | 22/tcp 2010-08-11 19:10:00 GMT-0400 2010-08-11 20:30:00 GMT-0400 31205 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 218.75.79.18 | 22/tcp 2010-08-11 14:00:00 GMT-0400 2010-08-11 14:00:00 GMT-0400 416 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 218.76.215.174 | 22/tcp 2010-08-11 18:15:00 GMT-0400 2010-08-11 18:15:00 GMT-0400 22514 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 61.133.208.210 | 22/tcp 2010-08-11 19:00:00 GMT-0400 2010-08-11 19:05:00 GMT-0400 50360 | CHINANET-BACKBONE No.31,Jin-rong Street
4538 | 202.117.10.254 | 22/tcp 2010-08-11 08:30:00 GMT-0400 2010-08-11 10:15:00 GMT-0400 16516 | ERX-CERNET-BKB China Education and Research Network Center
4812 | 58.40.18.81 | 22/tcp 2010-08-11 23:40:00 GMT-0400 2010-08-12 01:50:00 GMT-0400 248118 | CHINANET-SH-AP China Telecom (Group)
4837 | 218.61.4.126 | 22/tcp 2010-08-11 17:15:00 GMT-0400 2010-08-11 18:25:00 GMT-0400 2490 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837 | 218.8.82.99 | 22/tcp 2010-08-11 19:50:00 GMT-0400 2010-08-11 19:50:00 GMT-0400 2103 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837 | 222.138.109.160 | 22/tcp 2010-08-11 11:50:00 GMT-0400 2010-08-11 11:50:00 GMT-0400 2072 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837 | 60.30.32.27 | 22/tcp 2010-08-11 17:20:00 GMT-0400 2010-08-12 01:30:00 GMT-0400 843772 | CHINA169-BACKBONE CNCGROUP China169 Backbone
5617 | 83.14.53.114 | 22/tcp 2010-08-11 21:20:00 GMT-0400 2010-08-11 21:40:00 GMT-0400 23616 | TPNET Polish Telecom_s commercial IP network
7738 | 187.14.8.165 | 22/tcp 2010-08-11 10:30:00 GMT-0400 2010-08-11 10:30:00 GMT-0400 364 | Telecomunicacoes da Bahia S.A.
8228 | 78.113.44.45 | 22/tcp 2010-08-11 10:30:00 GMT-0400 2010-08-11 10:30:00 GMT-0400 246 | CEGETEL-AS CEGETEL ENTREPRISES
9808 | 111.1.8.105 | 22/tcp 2010-08-11 13:25:00 GMT-0400 2010-08-11 13:45:00 GMT-0400 133943 | CMNET-GD Guangdong Mobile Communication Co.Ltd.
15557 | 93.17.197.44 | 22/tcp 2010-08-11 16:40:00 GMT-0400 2010-08-11 16:45:00 GMT-0400 65455 | LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS)
15657 | 80.81.254.168 | 22/tcp 2010-08-11 14:35:00 GMT-0400 2010-08-11 16:45:00 GMT-0400 229872 | SPEEDBONE-AS SPEEDBONE
17621 | 112.65.171.66 | 22/tcp 2010-08-11 15:15:00 GMT-0400 2010-08-11 17:05:00 GMT-0400 12448 | CNCGROUP-SH China Unicom Shanghai network
18103 | 203.128.88.185 | 22/tcp 2010-08-11 10:00:00 GMT-0400 2010-08-11 10:05:00 GMT-0400 65423 | NEUVIZ-AS-ID-AP Neuviz Net
18881 | 201.22.7.212 | 22/tcp 2010-08-11 13:45:00 GMT-0400 2010-08-11 13:45:00 GMT-0400 841 | Global Village Telecom
24139 | 218.109.6.154 | 22/tcp 2010-08-12 01:20:00 GMT-0400 2010-08-12 01:30:00 GMT-0400 8337 | CNNIC-WASU-AP WASU TV & Communication Holding Co.,Ltd.
24739 | 81.23.121.38 | 22/tcp 2010-08-11 15:05:00 GMT-0400 2010-08-12 01:50:00 GMT-0400 1441056 | SEVEREN-TELECOM CJSC Severen-Telecom
25576 | 41.178.41.76 | 22/tcp 2010-08-11 20:15:00 GMT-0400 2010-08-11 20:15:00 GMT-0400 330 | AFMIC
45899 | 123.20.159.33 | 22/tcp 2010-08-11 10:30:00 GMT-0400 2010-08-11 10:30:00 GMT-0400 254 | VNPT-AS-VN VNPT Corp
45899 | 123.22.91.88 | 22/tcp 2010-08-11 15:25:00 GMT-0400 2010-08-11 15:25:00 GMT-0400 254 | VNPT-AS-VN VNPT Corp
45899 | 123.23.252.222 | 22/tcp 2010-08-11 11:20:00 GMT-0400 2010-08-11 11:20:00 GMT-0400 254 | VNPT-AS-VN VNPT Corp
49929 | 85.143.104.141 | 22/tcp 2010-08-11 10:30:00 GMT-0400 2010-08-11 10:40:00 GMT-0400 13091 | MISIS State Technological University
Thanks,
Joel
--On Thursday, August 12, 2010 9:12 AM -0600 "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> Ok so that controller has to have a large list of vulnerable systems right?
> It would also have the dictionary but that is less interesting to me then the vulnerable account database.
>
> Looks like it is in a colo facility.
> Any chance fibre1 is here and can get a hold of that system?
> If not can one of the upstreams find a clue stick and talk with them?
> Anything I shared here is public and can be shared.
>
>
> $ whois 85.114.129.49
> % Information related to '85.114.128.0 - 85.114.135.255'
> inetnum: 85.114.128.0 - 85.114.135.255
> netname: FASTIT-DE-DUS1-COLO4
> descr: fast IT Colocation
>
> role: fast IT Operations Team
> address: myLoc managed IT AG
> address: Am Gatherhof 44
> address: 40472 Duesseldorf
> address: DE
> abuse-mailbox: abuse at fastIT.net
> phone: +49 211 171659 0
> fax-no: +49 211 171659 77
> remarks: +---------------------------------------------------+
> remarks: | Please see FONE-RIPE for operational contacts in |
> remarks: | case of network related issues! |
> remarks: +---------------------------------------------------+
> admin-c: DTH
> tech-c: DTH
> nic-hdl: FIO-RIPE
> mnt-by: FIBRE1-MNT
> source: RIPE # Filtered
>
> role: fibre one NOC
> address: fibre one networks GmbH
> address: Network Operations & Services
> address: Am Gatherhof 44
> address: 40472 Duesseldorf
> address: Germany
> abuse-mailbox: abuse at fibre1.net
> phone: +49 211 171659 40
> fax-no: +49 211 171659 49
> remarks: +---------------------------------------------------+
> remarks: | 24/7 NOC email: noc _at_ fibre1.net |
> remarks: | 24/7 NOC phone: +49 700 00 327848 |
> remarks: | Please direct absue issues ONLY |
> remarks: | to abuse _at_ fibre1.net |
> remarks: | Complaints to other adresses will be deemed |
> remarks: | as spam and not further processed! |
> remarks: +---------------------------------------------------+
> nic-hdl: FONE-RIPE
> mnt-by: FIBRE1-MNT
> source: RIPE # Filtered
> % Information related to '85.114.128.0/19AS24961'
> route: 85.114.128.0/19
> descr: DE-FIBRE1-85-114-128-0---slash-19
> origin: AS24961
> mnt-by: FIBRE1-MNT
> source: RIPE # Filtered
> % Information related to '85.114.128.0/20AS24961'
> route: 85.114.128.0/20
> descr: DE-FIBRE1-85-114-128-0---slash-20
> origin: AS24961
> mnt-by: FIBRE1-MNT
> source: RIPE # Filtered
>
>
> $ whois -h upstream-whois.cymru.com 85.114.129.49
> PEER_AS | IP | AS Name
> 3209 | 85.114.129.49 | VODANET International IP-Backbone of Vodafone
> 3320 | 85.114.129.49 | DTAG Deutsche Telekom AG
> 3356 | 85.114.129.49 | LEVEL3 Level 3 Communications
> 10310 | 85.114.129.49 | YAHOO-1 - Yahoo!
> 13237 | 85.114.129.49 | LAMBDANET-AS European Backbone of LambdaNet
>
> Sharing: No permission required.
> This is public share as desired.
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: Nicholas Ianelli [mailto:ni at centergate.net]
>> Sent: Thursday, August 12, 2010 8:03 AM
>> To: Joel Rosenblatt
>> Cc: Smith, Donald; 'nsp-security at puck.nether.net'
>> Subject: Re: [nsp-sec] SSH scanning - we are now up over 1000
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Yeah, this is what was seen running on one of the hosts the other day:
>>
>> # ps auxfw
>>
>> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
>> root 1 0.0 0.0 2072 576 ? Ss Apr19 0:02 init [3]
>> root 2 0.0 0.0 0 0 ? S< Apr19 0:01 [migration/0]
>> root 3 0.0 0.0 0 0 ? SN Apr19 0:00 [ksoftirqd/0]
>> ...
>> apache 25462 0.0 0.0 1504 216 ? S 04:33 0:08 /tmp/dd_ssh 100
>> 85.114.129.49 2
>> apache 12778 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
>> 85.114.129.49 2
>> apache 12779 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
>> 85.114.129.49 2
>> apache 12780 0.0 0.0 3988 844 ? S 12:24 0:00 \_ /tmp/dd_ssh 100
>> 85.114.129.49 2
>>
>> (many more instances, all with the same IP)
>>
>>
>> On 8/12/2010 6:35 AM, Joel Rosenblatt wrote:
>> > ----------- nsp-security Confidential --------
>> >
>> > Hi Donald,
> Actually fellow handler DanielW did most the work I just got the ball rolling:)
>
>> >
>> > Thanks for putting this together.
>> >
>> > It does appear that whatever they are doing, the attack
>> code is becoming
>> > more efficient
>> >
>> > Incident Attempts Attackers
>> >
>> > 8/12 22/tcp 7587050 32
>> > 8/11 22/tcp 8524225 875
>> > 8/10 22/tcp 6724109 1028
>> > 8/9 22/tcp 3645405 618
>> > 8/8 22/tcp 6176237 835
>> >
>> > Note that even though the number of attackers from last
>> night is back to
>> > my normal of around 30, the total number of attempts had
>> not gone down
>> > significantly.
>> >
>> > There are a lot less of them, but they are trying harder :-)
>> >
>> > Regards,
>> > Joel
>> >
>> > --On Wednesday, August 11, 2010 3:27 PM -0600 "Smith, Donald"
>> > <Donald.Smith at qwest.com> wrote:
>> >
>> >> We asked for and received lots of additional information
>> and binaries
>> >> for the dd_ssh/phpmyadmin issue.
>> >>
>> >> https://isc.sans.edu/diary.html?storyid=9370
>> >>
>> >> We have received some reports about a new SSH brute force script,
>> >> possibly named dd_ssh, that gets dropped onto web servers,
>> most likely
>> >> via an older
>> >> phpmyadmin vulnerability. If you have sample log entries from a
>> >> successful attack or can share a copy of dd_ssh, please
>> let us know.
>> >> The current DShield
>> >> figures do show a recent uptick in the number of sources that
>> >> participate in SSH scanning.
>> >>
>> >> Update 1735UTC: We have received several samples of
>> dd_ssh, with MD5
>> >> 24dac6bab595cd9c3718ea16a3804009. If your MD5 differs,
>> please still
>> >> send us a copy. It
>> >> also looks like the vulnerability exploited is indeed in
>> phpmyadmin,
>> >> but seems to be the rather old CVE-2009-1151. Again, if your
>> >> information differs, please
>> >> let us know. Thanks to all the ISC readers who responded so far!
>> >>
>> >> Update 2005UTC: Several readers have identified
>> 91-193-157-206 as the
>> >> most likely original source of the scanning for phpmyadmin's
>> >> setup.exe. If successful,
>> >> two files named "vmsplice.txt" and "dd.txt" were
>> downloaded from that
>> >> same IP. How exactly dd_ssh was installed is not yet
>> clear, but most
>> >> readers found it
>> >> in /tmp after a POST request to phpmyadmin/scripts/setup.exe. A
>> >> running dd_ssh was seen to talk to a bunch of IPs over
>> port 54509 and
>> >> 54510, this is most
>> >> likely the C&C connection.
>> >>
>> >> Update 2020UTC: We got it reasonably established that the
>> >> vulnerability exploited to drop the SSH scanner was indeed
>> >> CVE-2009-1151. C'mon, folks, if you
>> >> insist to have your phpmyadmin reachable from the Internet
>> (why would
>> >> you?? Access control isn't hard!) then please at least
>> upgrade to the
>> >> most current
>> >> version, which at this time is 2.11.10 or 3.3.5.
>> >>
>> >>
>> >> I have looked at a pcap and validated the control ports.
>> >> I have run a netflow report but not sure how much good it
>> is without a
>> >> lot of filtering as the control ports (54509 and 54510) are legit
>> >> empherial ports:(
>> >>
>> >>
>> >> (coffee != sleep) & (!coffee == sleep)
>> >> Donald.Smith at qwest.com gcia
>> >>
>> >>> -----Original Message-----
>> >>> From: nsp-security-bounces at puck.nether.net
>> >>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> >>> Kevin Oberman
>> >>> Sent: Tuesday, August 10, 2010 11:57 AM
>> >>> To: Joel Rosenblatt
>> >>> Cc: nsp-security at puck.nether.net
>> >>> Subject: Re: [nsp-sec] SSH scanning - we are now up over 1000
>> >>>
>> >>> ----------- nsp-security Confidential --------
>> >>>
>> >>> > Date: Tue, 10 Aug 2010 10:02:15 -0400
>> >>> > From: Joel Rosenblatt <joel at columbia.edu>
>> >>> > Sender: nsp-security-bounces at puck.nether.net
>> >>> >
>> >>> > ----------- nsp-security Confidential --------
>> >>> >
>> >>> >
>> >>> > Hi,
>> >>> >
>> >>> > Looks like this is going to get worse before it gets worse
>> >>> ... list attached.
>> >>> >
>> >>> > Thanks,
>> >>> > Joel
>> >>> >
>> >>> > Joel Rosenblatt, Manager Network & Computer Security
>> >>> > Columbia Information Security Office (CISO)
>> >>> > Columbia University, 612 W 115th Street, NY, NY 10025 /
>> 212 854 3033
>> >>> > http://www.columbia.edu/~joel
>> >>>
>> >>> This is the worst of these I've seen and it just keeps
>> >>> getting heavier.
>> >>>
>> >>> I have been seeing over 500 new unique source addresses
>> daily from the
>> >>> start of this and the number is growing daily. I only
>> had 960 unique
>> >>> new addresses this morning, but I have rather careful
>> vetting to avoid
>> >>> false positives as we feed this data into our RTBH and I
>> don't want to
>> >>> block any legitimate access. I'm sure that if I looked at the data
>> >>> manually, theat I would have a number of added hits.
>> >>>
>> >>> BTW, all of the attempts log are reported to the Cymru
>> >>> brute-force list
>> >>> for inclusion in the daily reports.
>> >>> --
>> >>> R. Kevin Oberman, Network Engineer
>> >>> Energy Sciences Network (ESnet)
>> >>> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
>> >>> E-mail: oberman at es.net Phone: +1
>> 510 486-8634
>> >>> Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> nsp-security mailing list
>> >>> nsp-security at puck.nether.net
>> >>> https://puck.nether.net/mailman/listinfo/nsp-security
>> >>>
>> >>> Please do not Forward, CC, or BCC this E-mail outside of the
>> >>> nsp-security
>> >>> community. Confidentiality is essential for effective
>> >>> Internet security counter-measures.
>> >>> _______________________________________________
>> >>>
>> >>
>> >> This communication is the property of Qwest and may contain
>> >> confidential or
>> >> privileged information. Unauthorized use of this communication is
>> >> strictly
>> >> prohibited and may be unlawful. If you have received this
>> communication
>> >> in error, please immediately notify the sender by reply e-mail and
>> >> destroy
>> >> all copies of the communication and any attachments.
>> >>
>> >
>> >
>> >
>> > Joel Rosenblatt, Manager Network & Computer Security
>> > Columbia Information Security Office (CISO)
>> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> > http://www.columbia.edu/~joel
>> >
>> >
>> >
>> > _______________________________________________
>> > nsp-security mailing list
>> > nsp-security at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/nsp-security
>> >
>> > Please do not Forward, CC, or BCC this E-mail outside of
>> the nsp-security
>> > community. Confidentiality is essential for effective
>> Internet security
>> > counter-measures.
>> > _______________________________________________
>>
>>
>> - --
>> Nicholas Ianelli: Neustar, Inc.
>> Security Operations
>>
>> 46000 Center Oak Plaza Sterling, VA 20166
>> +1 571.434.4691 - http://www.neustar.biz
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (MingW32)
>>
>> iEYEARECAAYFAkxj/yQACgkQi10dJIBjZIDAFgCfXRfJCYUqyoPWeW8MiK55eno1
>> LEsAni9592iElSULgh9kBdT4VcxzuAR0
>> =WaDQ
>> -----END PGP SIGNATURE-----
>>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list