[nsp-sec] 46.252.128.63 C&C for Stolen FTP credentials ?
Mike Tancsa
mike at sentex.net
Tue Apr 19 11:58:15 EDT 2011
On 4/19/2011 4:08 AM, Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> please find below a list of stolen FTP login credentials found in several lists
> on a server used for malicious activity. Unfortunately, I don't have information
> on when and how the credentials were stolen, but the filenames and timestamps
> of the lists indicate that they were harvested earlier this month.
> 11647 | 98.159.240.6 | CA | sentex.ca | annadur | 43****** | SENTEX-NET - Sentex Communications Corporation
(Note, I had to s/46/2e on the IP as clamav sees the message as a potential phish/virus with that IP range in it (MBL_202716.UNOFFICIAL))
Looking at this users login history (the host is where our users save their personal webpages) it would seem the attacker had logged in multiple times from 2e.252.128.63 (times are GMT -500)
annadur ftp 2e.252.128.63 Mon Apr 11 07:07 - 07:07 (00:00)
annadur ftp 2e.252.128.63 Sun Apr 10 16:04 - 16:04 (00:00)
annadur ftp 2e.252.128.63 Sun Apr 10 16:02 - 16:03 (00:00)
annadur ftp 2e.252.128.63 Sun Apr 10 12:23 - 12:24 (00:00)
annadur ftp 2e.252.128.63 Sun Apr 10 12:23 - 12:23 (00:00)
annadur ftp 2e.252.128.63 Sat Apr 9 09:11 - 09:26 (00:15)
annadur ftp 2e.252.128.63 Sat Apr 9 09:11 - 09:11 (00:00)
annadur ftp 2e.252.128.63 Sat Apr 9 06:17 - 06:17 (00:00)
annadur ftp 2e.252.128.63 Sat Apr 9 06:17 - 06:17 (00:00)
There also seems to be a lot of UDP communication to this IP from two of our other customers. Looking at my argus logs, a few other of my customers are initiating odd connections to that IP.
Also, 2e.252.128.15 seems to be involved somehow as well. The user who had their account compromised visited 2e.252.128.15 on port 80...
ra -L0 -nr 2e.252.128.63
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
04-07 20:02:59.791 Ne tcp 2e.252.128.15.80 -> 206.130.91.112.1099 106 152564 FIN
04-09 06:17:14.636 e d tcp 2e.252.128.63.4728 -> 98.159.240.6.21 16 1130 RST
04-09 06:17:15.373 e tcp 2e.252.128.63.2e75 -> 98.159.240.6.21 15 1040 RST
04-09 07:07:28.713 Ne tcp 2e.252.128.15.80 -> 67.43.140.104.3030 4 628 FIN
04-09 09:11:11.523 e d tcp 2e.252.128.63.2981 -> 98.159.240.6.21 15 1123 CON
04-09 09:11:13.243 e d tcp 2e.252.128.63.2072 -> 98.159.240.6.21 22 1704 CON
04-09 09:11:15.627 e tcp 2e.252.128.63.1602 -> 98.159.240.6.49823 8 1078 FIN
04-09 09:11:16.806 e d tcp 2e.252.128.63.3152 -> 98.159.240.6.59423 9 1140 FIN
04-09 09:11:17.214 e & tcp 2e.252.128.63.2981 -> 98.159.240.6.21 19 1548 CON
04-09 09:11:21.755 e tcp 2e.252.128.63.3016 -> 98.159.240.6.56884 10 42e2 FIN
04-09 09:11:21.880 e tcp 2e.252.128.63.2072 -> 98.159.240.6.21 11 905 CON
04-09 09:11:22.595 e d tcp 2e.252.128.63.2981 -> 98.159.240.6.21 10 733 CON
04-09 09:11:22.857 e tcp 2e.252.128.63.4456 -> 98.159.240.6.55911 12 6030 FIN
04-09 09:11:24.860 e s tcp 2e.252.128.63.3128 -> 98.159.240.6.65063 2 124 REQ
04-09 09:11:27.92e e r tcp 2e.252.128.63.2072 -> 98.159.240.6.21 20 1443 RST
04-09 09:11:29.245 e tcp 2e.252.128.63.1182 -> 98.159.240.6.55771 8 1432 FIN
04-09 09:11:33.865 e s tcp 2e.252.128.63.3128 -> 98.159.240.6.65063 1 62 REQ
04-09 09:26:24.535 e tcp 98.159.240.6.21 <?> 2e.252.128.63.2981 3 224 FIN
04-09 10:29:00.757 e tcp 2e.252.128.63.2981 ?> 98.159.240.6.21 1 60 RST
04-10 01:59:15.82e e udp 64.7.151.134.26318 -> 2e.252.128.63.44978 1 145 INT
04-10 07:17:34.353 e udp 64.7.151.99.55579 <-> 2e.252.128.63.44978 2 2e3 CON
04-10 12:23:20.782 e r tcp 2e.252.128.63.3283 -> 98.159.240.6.21 21 1597 CON
04-10 12:23:24.273 e tcp 2e.252.128.63.2e80 -> 98.159.240.6.58001 8 1078 FIN
04-10 12:23:26.597 e d tcp 2e.252.128.63.1871 -> 98.159.240.6.21 12 923 CON
04-10 12:23:26.909 e d tcp 2e.252.128.63.3283 -> 98.159.240.6.21 12 923 CON
04-10 12:23:33.679 e d tcp 2e.252.128.63.3359 -> 98.159.240.6.52934 6 1826 CON
04-10 12:23:35.208 e tcp 2e.252.128.63.1871 -> 98.159.240.6.21 23 1796 CON
04-10 12:23:35.872 e tcp 2e.252.128.63.1791 -> 98.159.240.6.63319 8 1078 FIN
04-10 12:23:37.009 e tcp 2e.252.128.63.3283 -> 98.159.240.6.21 3 296 CON
04-10 12:23:37.870 e tcp 2e.252.128.63.2619 -> 98.159.240.6.52390 6 3266 CON
04-10 12:23:43.311 e s tcp 2e.252.128.63.3359 -> 98.159.240.6.52934 6 2765 FIN
04-10 12:23:43.653 e d tcp 2e.252.128.63.3283 -> 98.159.240.6.21 14 1108 CON
04-10 12:23:47.679 e tcp 2e.252.128.63.2619 -> 98.159.240.6.52390 6 2765 FIN
04-10 12:23:48.018 e d tcp 2e.252.128.63.1871 -> 98.159.240.6.21 14 1148 CON
04-10 12:23:48.021 e d tcp 2e.252.128.63.2933 -> 98.159.240.6.54447 10 2518 FIN
04-10 12:23:49.361 e tcp 2e.252.128.63.3283 -> 98.159.240.6.21 9 732 CON
04-10 12:23:50.528 e d tcp 2e.252.128.63.3850 -> 98.159.240.6.57156 6 2278 FIN
04-10 12:23:52.688 e * tcp 2e.252.128.63.4843 -> 98.159.240.6.56620 18 7027 FIN
04-10 12:23:53.614 e tcp 2e.252.128.63.1871 -> 98.159.240.6.21 2 193 CON
04-10 12:23:55.985 e i tcp 2e.252.128.63.3283 -> 98.159.240.6.21 11 784 RST
04-10 12:24:00.063 e d tcp 2e.252.128.63.3850 -> 98.159.240.6.57156 4 1194 FIN
04-10 12:24:00.393 e & tcp 2e.252.128.63.1871 -> 98.159.240.6.21 17 1263 RST
04-10 12:24:01.393 e d tcp 2e.252.128.63.4382 -> 98.159.240.6.60971 16 6903 FIN
04-10 16:02:45.210 e tcp 2e.252.128.63.182e -> 98.159.240.6.21 35 2684 CON
04-10 16:02:47.511 e tcp 2e.252.128.63.1930 -> 98.159.240.6.6182e 8 1078 FIN
04-10 16:02:49.132 e tcp 2e.252.128.63.2024 -> 98.159.240.6.60074 8 1432 FIN
04-10 16:02:50.434 e d tcp 2e.252.128.63.2084 -> 98.159.240.6.51797 13 6509 FIN
04-10 16:02:50.648 e tcp 2e.252.128.63.182e -> 98.159.240.6.21 12 890 CON
04-10 16:02:56.663 e tcp 2e.252.128.63.2268 -> 98.159.240.6.63123 10 4930 FIN
04-10 16:02:56.986 e r tcp 2e.252.128.63.182e -> 98.159.240.6.21 14 112e CON
04-10 16:03:01.2e6 e tcp 2e.252.128.63.2649 -> 98.159.240.6.59152 13 5241 FIN
04-10 16:03:02.118 e tcp 2e.252.128.63.182e -> 98.159.240.6.21 8 499 RST
04-10 16:04:25.822 e tcp 2e.252.128.63.2824 -> 98.159.240.6.21 15 1122 CON
04-10 16:04:31.163 e tcp 2e.252.128.63.2925 -> 98.159.240.6.62845 8 1078 FIN
04-10 16:04:31.486 e r tcp 2e.252.128.63.2824 -> 98.159.240.6.21 35 2696 CON
04-10 16:04:32.786 e tcp 2e.252.128.63.3144 -> 98.159.240.6.50444 8 1432 FIN
04-10 16:04:34.093 e tcp 2e.252.128.63.3195 -> 98.159.240.6.61077 12 5068 FIN
04-10 16:04:35.723 e i tcp 2e.252.128.63.3278 -> 98.159.240.6.55153 10 4941 FIN
04-10 16:04:36.705 e d tcp 2e.252.128.63.2824 -> 98.159.240.6.21 10 752 CON
04-10 16:04:38.709 e * tcp 2e.252.128.63.3386 -> 98.159.240.6.62204 17 5479 RST
04-10 16:04:41.879 e tcp 2e.252.128.63.2824 -> 98.159.240.6.21 11 784 RST
04-10 16:53:25.872 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 18:09:35.976 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 18:23:43.844 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 18:53:48.024 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 19:09:08.014 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 19:39:19.951 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 19:54:48.002 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 20:10:32.001 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 20:41:15.976 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 21:11:32.074 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 22:10:08.065 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 22:13:2e.051 Ne udp 2e.252.128.63.44978 -> 64.7.147.122.52e38 1 305 INT
04-10 22:39:08.203 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 23:08:32.158 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
04-10 23:50:32.223 e udp 64.7.151.249.60305 <-> 2e.252.128.63.44978 2 2e4 CON
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list