[nsp-sec] Likely compromised servers receiving harvested SSH credentials

Smith, Donald Donald.Smith at CenturyLink.com
Fri Mar 1 14:01:13 EST 2013 

Bojan published this additional drop site ip address in his sans diary.



78.47.139.110.

http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229



I am seeing udp 53 towards that IP address too.



Of course I just have sampled netflow so no content I can't see what is inside those packets:)

I do however see lots of small upd 53 packets 75-106 byte packets which is almost certainly credentials.



My report isn't complete (and may take most of the day) but I am seeing traffic back to 02-02

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] on behalf of Gabriel Iovino [giovino at ren-isac.net]
Sent: Thursday, February 28, 2013 3:27 PM
To: NSP nsp-security
Subject: [nsp-sec] Likely compromised servers receiving harvested SSH credentials

----------- nsp-security Confidential --------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

A few of us have been tracking Phalanx2[1] rootkit compromises and often
a trojaned ssh/sshd would be found with the rootkit. A recent (related)
trojaned ssh/sshd was discussed on the ISC Diary[2].

We believe the four hosts below are likely receiving harvested SSH
credentials over port 53. These were discovered via a DGA algorithm. A
good first indicator of this is all the port 53 traffic will be one way,
those hosts below would not be responding to the traffic.

> 45557   | 180.148.1.138    | 180.148.1.0/24      | VN | apnic    | 2009-08-24 | VNTT-AS-VN Vietnam Technology and Telecommunication JSC
> 33724   | 208.68.232.131   | 208.68.232.0/24     | US | arin     | 2006-07-17 | BIZNESSHOSTING - VOLICO
> 8685    | 212.58.20.10     | 212.58.16.0/21      | TR | ripencc  | 1998-03-11 | DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.
> 6389    | 72.156.139.154   | 72.156.128.0/20     | US | arin     | 2005-08-11 | BELLSOUTH-NET-BLK - BellSouth.net Inc

If we can confirm that these are receiving harvested SSH credentials
then the following would be of interest:

1. Any port 53 traffic to these hosts (minus random dns scanners) are
likely compromised and leaking credentials. Those hosts should be
remediated.

2. The harvested credentials should be shipped to an upstream
host/proxy. What is this host?

3. These servers are compromised and should be remediated.

If you can help please let me know, this is the first time the
exfiltration host(s) has changed in some time.

Gabe

[1] Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux
Rootkit
http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html

[2] SSHD rootkit in the wild
https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAlEv2bMACgkQwqygxIz+pTuGxwCfRsjxXhYlWcXXUV1wCU98XJpv
gMQAoJikAQmggM9rJzkPFqSKntTCr+S0
=4v8U
-----END PGP SIGNATURE-----


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list