[nsp-sec] distributed ssh scanners again
Torsten Voss
voss at dfn-cert.de
Wed Nov 3 12:13:23 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I thought it too, but on the system was no phpmyadmin installed. It is not
clear which vulnerbility was used.
Shure, you can share the information with your customers.
Cheers,
Torsten
Am 03.11.2010 17:04, schrieb Smith, Donald:
> Torsten, is it ok to share the fact that this is probably due to a vulnerable version of phpmyadmin internally and with customers?
>
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Torsten Voss
>> Sent: Wednesday, November 03, 2010 9:44 AM
>> To: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] distributed ssh scanners again
>>
>> ----------- nsp-security Confidential --------
>>
> Hi,
>
> we've recieved the malware from an compromised system:
>
> The malware was started similar then the last one in summer:
>
> PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/dd_ssh 300
> 217.79.190.53 2 2>/dev/null >/dev/null
>
> 217.79.190.53 is probaly the C&C server for the distributed ssh scans
>
> The initial malware was probably downloaded at
> http://195.69.220.2/a.txt
>
> Three files were found:
> 60ccf6902bcc37550954383be1461041 barbut
> 3f25289959d9fecc72cf24d2e300c97b dd_ssh
> 30a1e1ae9d573b2daceb71f9ec8c0ce8 dtdss
>
> IP 195.69.220.2 is hardcoded in the dtdss file
> IP 217.79.181.30 is included in the barbut file
>
> If someone would like a copy, please send us an email.
>
> Kind regards,
> Torsten, AS680
>
>
>>
>>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
>>
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
>>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
- --
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team), Phone +49 40 808077-634
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iQEVAwUBTNGKIyXNv0Upg26pAQIbEggAyn00xSTOP/K+L0cfDq6yCJBm4CHOWvPz
nAHROfpZ8tZo4S6cCe0s+G90tHsnhCLuChmrEzzfvDaVwsdHz+Qeycl+P2BCIE7z
M2VRLmsxXcgjGXdo+b5325dMImuCDNyh9cLoW2NxBtrx0iQT9q6IjMdEmgTA8GGI
Ja9peDAUedgfdtsmlg/+fzFZYJRmNN0odhJQqJgQW9jazaJ0Xx6/MYLT3Q+f0DF0
+xQrvFXD/3MyuXw/b4u3SErLTdrzcHT9UTvxH1MMReXMm9NgGEF8NWWk2NSM28IK
x9g8cjRqAZzIQookj6r6bxdxBrQp85lzHze0X5v2eSBWsg8D/hvjfg==
=Ml6A
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list