[nsp-sec] distributed ssh scanners again
Torsten Voss
voss at dfn-cert.de
Wed Nov 3 11:43:31 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
we've recieved the malware from an compromised system:
The malware was started similar then the last one in summer:
PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/dd_ssh 300
217.79.190.53 2 2>/dev/null >/dev/null
217.79.190.53 is probaly the C&C server for the distributed ssh scans
The initial malware was probably downloaded at
http://195.69.220.2/a.txt
Three files were found:
60ccf6902bcc37550954383be1461041 barbut
3f25289959d9fecc72cf24d2e300c97b dd_ssh
30a1e1ae9d573b2daceb71f9ec8c0ce8 dtdss
IP 195.69.220.2 is hardcoded in the dtdss file
IP 217.79.181.30 is included in the barbut file
If someone would like a copy, please send us an email.
Kind regards,
Torsten, AS680
- --
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team), Phone +49 40 808077-634
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iQEVAwUBTNGDIiXNv0Upg26pAQIPCwgAzjhu3Rm4JmG1T+mafG619Hza+HrGXSto
c3dPwvKGDpvTZy+4SlKinaYGFPmAcYSTx/46b6zpOyj6M9BDwU27ujVquVZViNe5
UnV2uy9as7togaIRU8y2nfquFpn0gXBGAsJ+71jNTFoQRqkerzjaBunQIMzKRKAu
IDSfIBpaObkh37HjGkw/84W2V0ruFvRereuvhioCj53CJ0o1o+LixKiLkN6lfaEe
NSw2WYpXQeZsSwDRwYjSU4eLoTCb5GIySUE5KKRGeK2oJEO574nT1YpUW//dL63+
e/oj/v+H71VTEHgK146hU2zmVHEit2Cqqxnk/WBbjGejQnlwZ1fClA==
=wiBW
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list