[nsp-sec] Likely compromised servers receiving harvested SSH credentials

Gabriel Iovino giovino at ren-isac.net
Thu Feb 28 17:27:00 EST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

A few of us have been tracking Phalanx2[1] rootkit compromises and often
a trojaned ssh/sshd would be found with the rootkit. A recent (related)
trojaned ssh/sshd was discussed on the ISC Diary[2].

We believe the four hosts below are likely receiving harvested SSH
credentials over port 53. These were discovered via a DGA algorithm. A
good first indicator of this is all the port 53 traffic will be one way,
those hosts below would not be responding to the traffic.

> 45557   | 180.148.1.138    | 180.148.1.0/24      | VN | apnic    | 2009-08-24 | VNTT-AS-VN Vietnam Technology and Telecommunication JSC
> 33724   | 208.68.232.131   | 208.68.232.0/24     | US | arin     | 2006-07-17 | BIZNESSHOSTING - VOLICO
> 8685    | 212.58.20.10     | 212.58.16.0/21      | TR | ripencc  | 1998-03-11 | DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.
> 6389    | 72.156.139.154   | 72.156.128.0/20     | US | arin     | 2005-08-11 | BELLSOUTH-NET-BLK - BellSouth.net Inc

If we can confirm that these are receiving harvested SSH credentials
then the following would be of interest:

1. Any port 53 traffic to these hosts (minus random dns scanners) are
likely compromised and leaking credentials. Those hosts should be
remediated.

2. The harvested credentials should be shipped to an upstream
host/proxy. What is this host?

3. These servers are compromised and should be remediated.

If you can help please let me know, this is the first time the
exfiltration host(s) has changed in some time.

Gabe

[1] Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux
Rootkit
http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html

[2] SSHD rootkit in the wild
https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAlEv2bMACgkQwqygxIz+pTuGxwCfRsjxXhYlWcXXUV1wCU98XJpv
gMQAoJikAQmggM9rJzkPFqSKntTCr+S0
=4v8U
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list