[nsp-sec] distributed ssh scanners again
Michael Sinatra
michael at rancid.berkeley.edu
Wed Nov 3 13:21:05 EDT 2010
On 11/3/10 9:25 AM, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
>
> At 11:43 AM 11/3/2010, Torsten Voss wrote:
>> ----------- nsp-security Confidential --------
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> we've recieved the malware from an compromised system:
>>
>> The malware was started similar then the last one in summer:
>>
>> PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/dd_ssh 300
>> 217.79.190.53 2 2>/dev/null >/dev/null
>>
>> 217.79.190.53 is probaly the C&C server for the distributed ssh scans
>
> Looking through my flows, this host was involved in a large scan aimed
> at UDP port 53. It happened to hit one of my resolvers which logged
>
> Nov 2 05:02:51 auth2 named[3784]: client 217.79.190.53#58439: query
> (cache) 'isc.org/TXT/IN' denied
>
> Other than looking for open resolvers, not sure what else they are up to.
The actual brute-force attacks appear slightly different than previous
distributed-brute-force attacks. In the past, they appeared to be going
through a dictionary of user names. This time, they're just going for
root. Each of the hosts (now ongoing over the past 18-20 hours) is
trying to log in as root to hosts running sshd. It may represent a
different type of malware than what we have seen in the past.
I'll be submitting the list of brute-forcing hosts to the usual places.
michael
More information about the nsp-security
mailing list