[nsp-sec] ACK 174 RE: rooted UNIX boxes
Shelton, Steve
sshelton at Cogentco.com
Tue Jun 28 06:07:27 EDT 2011
Dirk,
Thanks! ACK for 174.
Steve Shelton
Sec Engineer
Cogent Communications
sshelton at cogentco.com
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dirk Stander
Sent: Tuesday, June 28, 2011 5:28 AM
To: nsp-sec
Subject: [nsp-sec] rooted UNIX boxes
----------- nsp-security Confidential --------
Hi,
please find attached a list of compromised servers found
in an email drop box. The servers do have a userland root
kit installed and are running a trojanized ssh/sshd.
I'm not sure about the initial attack vector.
The format of the list is:
<ASN> | <CC> | <IP> | <PTR> | <time GMT> | <SMTP sender> | <AS DESC>
kind regards, Dirk Stander (1&1 Internet AG) :.
20110628-rooted-boxes.txt
174 | EU | 82.138.82.87 | bisrvdocuments.bysoft.fr. | Sat Jun 11
15:24:05 2011 | root at bisrvdocuments.bysoft.fr | COGENT Cogent/PSI
174 | EU | 82.138.82.87 | bisrvdocuments.bysoft.fr. | Sat Jun 11
15:24:05 2011 | root at bisrvdocuments.bysoft.fr | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Fri Jun 17
20:37:05 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Fri Jun 24
20:37:11 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Mon Jun 13
20:37:08 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Mon Jun 20
20:37:06 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Sat Jun 11
09:01:46 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Sat Jun 11
09:01:46 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Sat Jun 11
20:37:41 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Sat Jun 18
20:37:06 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Sun Jun 12
20:37:20 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Sun Jun 19
20:43:16 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Thu Jun 16
20:43:51 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Thu Jun 23
20:37:11 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Tue Jun 14
20:37:29 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Tue Jun 21
20:37:06 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Wed Jun 15
20:37:06 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | EU | 82.138.98.72 | ns9872.selfserveur.com. | Wed Jun 22
20:37:12 2011 | root at ns9872.selfserveur.com | COGENT Cogent/PSI
174 | US | 74.220.16.95 | new-millennium.ecillin.com. | Tue Feb 15
08:02:05 2011 | root at new-millennium.ecillin.com | COGENT Cogent/PSI
174 | US | 74.220.16.95 | new-millennium.ecillin.com. | Wed Feb 16
08:02:05 2011 | root at new-millennium.ecillin.com | COGENT Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Mon
May 16 15:01:06 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Mon
May 16 15:01:06 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
Feb 15 08:02:33 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
Feb 15 12:38:31 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 02:27:14 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 08:02:38 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 12:56:34 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 12:56:49 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 12:56:50 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 12:57:23 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 13:02:44 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.17.204 | vm-searchlight.intersessions.com. | Tue
May 17 16:07:38 2011 | root at vm-searchlight.intersessions.com | COGENT
Cogent/PSI
174 | US | 74.220.23.17 | helmet.wpcomp.com. | Thu Feb 17 08:02:17
2011 | root at helmet.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.17 | helmet.wpcomp.com. | Tue Feb 15 08:02:25
2011 | root at helmet.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.17 | helmet.wpcomp.com. | Wed Feb 16 08:02:34
2011 | root at helmet.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Fri Feb 25
08:19:59 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Fri Mar 4
08:02:15 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Mon Feb 28
08:02:31 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Mon Feb 28
12:43:26 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Mon Feb 28
19:01:06 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Mon Mar 7
08:02:49 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sat Feb 26
00:58:38 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sat Feb 26
08:02:25 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sat Feb 26
15:29:23 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sat Mar 5
08:02:17 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sun Feb 27
08:02:41 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sun Feb 27
15:36:40 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Sun Mar 6
08:02:23 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Thu Feb 24
08:02:22 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Thu Feb 24
15:43:33 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Thu Mar 3
08:02:17 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Thu Mar 10
03:26:37 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Tue Feb 22
20:43:56 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Tue Feb 22
20:43:56 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Tue Mar 1
15:30:11 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Tue Mar 8
08:02:39 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Wed Feb 23
08:02:31 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Wed Feb 23
18:35:29 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Wed Mar 2
08:02:46 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
174 | US | 74.220.23.26 | vps-201.wpcomp.com. | Wed Mar 9
08:02:33 2011 | root at vps-201.wpcomp.com | COGENT Cogent/PSI
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list