[nsp-sec] 46.252.128.63 C&C for Stolen FTP credentials ?

SURFcert - Peter p.g.m.peters at utwente.nl
Wed Apr 20 09:06:35 EDT 2011 

Harri Sylvander wrote on 20-04-2011 12:13:
> One note that may or may not be useful to others. At least some of
> these boxes have never had an FTP server running on them. I know
> for a fact though that a couple of those credentials have been
> compromised in a case where an attacker managed to replace an sshd
> binary on a server.
>
> The first few chars of the reported passwords match the ones that were
> compromised in that incident ~6 months ago. Obviously possible that
> the users have reverted to the same old or similar passwords. The
> other possibility is that there is also some old data mixed in and at
> least some of the reported credentials might be for services other
> than FTP.
I have confirmation that at least two accounts where collected a couple
of months ago. Both were used on one computer a couple of months (last
year) ago.
> Looking at flowdata we do see connection attempts to 21/tcp, even when
> there is no FTP server running, from the same IP that was reported in
> by Mike:
>
> An excerpt from our flowdata, timestamps (UTC+3):
>
> Date flow start          Duration Proto      Src IP Addr:Port
> Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps Bpp Flows
> 2011-04-11 13:54:45.430     9.030 TCP      46.252.128.63:1747  ->
> 193.166.7.119:21    ....S.   0        3      144        0      127
> 48     1
> 2011-04-11 13:54:45.430    29.920 TCP      46.252.128.63:1746  ->
> 193.166.7.119:21    ....S.   0        6      288        0       77
> 48     1
> 2011-04-11 13:55:06.740     8.940 TCP      46.252.128.63:3136  ->
> 193.166.7.119:21    ....S.   0        3      144        0      128
> 48     1
> 2011-04-11 13:57:54.820     8.880 TCP      46.252.128.63:4843  ->
> 193.166.7.119:21    ....S.   0        3      144        0      129
> 48     1
> 2011-04-11 13:57:54.820     8.880 TCP      46.252.128.63:4842  ->
> 193.166.7.119:21    ....S.   0        3      144        0      129
> 48     1
> 2011-04-11 13:58:16.090     9.040 TCP      46.252.128.63:1695  ->
> 193.166.7.119:21    ....S.   0        2       96        0       84
> 48     1

We have found attempts to access the ftp-server with the account and
password found:

<account> ftp 46.252.128.63 Mon Apr 11 17:38 - 17:39 (00:00)
<account> ftp 46.252.128.63 Mon Apr 11 13:04 - 13:04 (00:00)

The password had already been changed so they didn't get access.

-- 
Peter Peters                     /------\           SURFnet bv
SURFcert                         | SURF |           cert.surfnet.nl
cert at surfnet.nl                  \-----\ \-----\    Postbus 19035
PGP Key ID 0x5A52C966                   | CERT |    NL-3501 DA  Utrecht
+31 30 2305 305                         \------/    fax: +31 30 2305 329



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 543 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110420/3988ff28/attachment-0001.sig>

More information about the nsp-security mailing list