[nsp-sec] 46.252.128.63 C&C for Stolen FTP credentials ?

Harri Sylvander harri.sylvander at csc.fi
Wed Apr 20 06:13:44 EDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

> please find below a list of stolen FTP login credentials found in several lists
> on a server used for malicious activity. Unfortunately, I don't have information
> on when and how the credentials were stolen, but the filenames and timestamps
> of the lists indicate that they were harvested earlier this month.

Thanks for the heads up!

ACK 1739, 1741, 15496

> 1739  | 130.230.10.20
> 1739  | 130.230.10.24
> 1739  | 130.230.10.29
> 1739  | 130.230.10.30
> 1739  | 130.230.106.22
> 1739  | 130.230.106.36
> 1741  | 193.166.7.119
> 1741  | 193.166.7.119
> 1741  | 193.167.33.237
> 15496 | 130.233.228.9

One note that may or may not be useful to others. At least some of
these boxes have never had an FTP server running on them. I know
for a fact though that a couple of those credentials have been
compromised in a case where an attacker managed to replace an sshd
binary on a server. 

The first few chars of the reported passwords match the ones that were
compromised in that incident ~6 months ago. Obviously possible that
the users have reverted to the same old or similar passwords. The
other possibility is that there is also some old data mixed in and at
least some of the reported credentials might be for services other
than FTP.

Looking at flowdata we do see connection attempts to 21/tcp, even when
there is no FTP server running, from the same IP that was reported in
by Mike:

> Looking at this users login history (the host is where our users
> save their personal webpages) it would seem the attacker had logged
> in multiple times from 2e.252.128.63 (times are GMT -500) 

AS      | IP               | AS Name
25190   | 46.252.128.63    | KIS-AS UAB _Kauno Interneto Sistemos_

An excerpt from our flowdata, timestamps (UTC+3):

Date flow start          Duration Proto      Src IP Addr:Port
Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps Bpp Flows
2011-04-11 13:54:45.430     9.030 TCP      46.252.128.63:1747  ->
193.166.7.119:21    ....S.   0        3      144        0      127
48     1
2011-04-11 13:54:45.430    29.920 TCP      46.252.128.63:1746  ->
193.166.7.119:21    ....S.   0        6      288        0       77
48     1
2011-04-11 13:55:06.740     8.940 TCP      46.252.128.63:3136  ->
193.166.7.119:21    ....S.   0        3      144        0      128
48     1
2011-04-11 13:57:54.820     8.880 TCP      46.252.128.63:4843  ->
193.166.7.119:21    ....S.   0        3      144        0      129
48     1
2011-04-11 13:57:54.820     8.880 TCP      46.252.128.63:4842  ->
193.166.7.119:21    ....S.   0        3      144        0      129
48     1
2011-04-11 13:58:16.090     9.040 TCP      46.252.128.63:1695  ->
193.166.7.119:21    ....S.   0        2       96        0       84
48     1

And as far as the possible C&C, I can verify seeing UDP traffic in our
netflow to and from:

  46.252.128.63:44978

i.e. same IP, same port as Mike reported.

The flows are, however, from a host that was not in the list of
compromised accounts.

Mike's data: 

> 04-10 01:59:15.82e  e         udp       64.7.151.134.26318     ->      2e.252.128.63.44978         1        145   INT
> 04-10 07:17:34.353  e         udp        64.7.151.99.55579    <->      2e.252.128.63.44978         2        2e3   CON
> 04-10 16:53:25.872  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 18:09:35.976  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 18:23:43.844  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 18:53:48.024  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 19:09:08.014  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 19:39:19.951  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 19:54:48.002  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 20:10:32.001  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 20:41:15.976  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 21:11:32.074  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 22:10:08.065  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 22:13:2e.051 Ne         udp      2e.252.128.63.44978     ->       64.7.147.122.52e38         1        305   INT
> 04-10 22:39:08.203  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 23:08:32.158  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON
> 04-10 23:50:32.223  e         udp       64.7.151.249.60305    <->      2e.252.128.63.44978         2        2e4   CON




Cheers,

- -hts

- --
Harri Sylvander, Funet CERT, CSC - IT Center for Science Ltd.
P.O. Box 405, 02101 Espoo, Finland, tel +358 9 457 2082
CSC is the Finnish IT Center for Science, http://www.csc.fi/
e-mail: harri.sylvander at csc.fi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iD8DBQFNrrHYAhrm/iIgvswRApAAAJ9merWq68ID4iDKpK0C/ZU3WpRENQCgpqbD
xMYwi3O4eT4pssUIosb4Y+Y=
=lXLq
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list