[nsp-sec] Likely compromised servers receiving harvested SSH credentials
Thomas Hungenberg
th.lab at hungenberg.net
Fri Mar 1 16:44:19 EST 2013
On 01.03.2013 20:01, Smith, Donald wrote:
> Bojan published this additional drop site ip address in his sans diary.
>
> 78.47.139.110.
This is the fallback exfiltration host to which the harvested SSH login credentials
are sent if the domain names generated by the DGA do not resolve.
This server (hosted in Germany) was taken down one week ago and CERT-Bund was provided
with an image for analysis.
The data retrieved on port 53/udp was stored in temporary files changing every minute.
We were able to recover data sets with logged credentials for about 55 hours between
2012-05-02 and 2013-02-22. However, the exfiltration server most probably was active
for a quite longer time.
The recovered data sets contain information on approx. 15 million harvested login attempts
to 9,153 unique IPs. These servers most probably have/had the malicious SSH lib installed
and sent the harvested data to the exfiltration server. However, most of the logged credentials
appear to be password dictionary/brute-forcing attempts as the malicious SSH lib does not only
harvest successful logins but any login attempts.
CERT-Bund provided national CERTs with information on potentially affected servers hosted
in the respective countries yesterday.
Unfortunately, I don't have permission to share the full list of IPs with nsp-sec for
legal reasons as the malicious SSH lib contains a hardcoded backdoor password which allows
for root access to all the compromised machines.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list