[nsp-sec] Likely compromised servers receiving harvested SSH credentials

Smith, Donald Donald.Smith at CenturyLink.com
Fri Mar 1 17:47:12 EST 2013 

Thanks Thomas, I saw it receiving packets back in early feburary.

The report I am running will have entries from the beginning of the month (02-02 I think) to current.

It will take a while to complete (1 day or so) but then I will have a list of potentially compromised systems that I should be able to share here.

Given the nature of the report I am only getting systems that went to one of those ips on udp 53 so it should have a low FP rate.











(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] on behalf of Thomas Hungenberg [th.lab at hungenberg.net]
Sent: Friday, March 01, 2013 2:44 PM
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Likely compromised servers receiving harvested SSH credentials

----------- nsp-security Confidential --------

On 01.03.2013 20:01, Smith, Donald wrote:
> Bojan published this additional drop site ip address in his sans diary.
>
> 78.47.139.110.

This is the fallback exfiltration host to which the harvested SSH login credentials
are sent if the domain names generated by the DGA do not resolve.
This server (hosted in Germany) was taken down one week ago and CERT-Bund was provided
with an image for analysis.

The data retrieved on port 53/udp was stored in temporary files changing every minute.
We were able to recover data sets with logged credentials for about 55 hours between
2012-05-02 and 2013-02-22. However, the exfiltration server most probably was active
for a quite longer time.

The recovered data sets contain information on approx. 15 million harvested login attempts
to 9,153 unique IPs. These servers most probably have/had the malicious SSH lib installed
and sent the harvested data to the exfiltration server. However, most of the logged credentials
appear to be password dictionary/brute-forcing attempts as the malicious SSH lib does not only
harvest successful logins but any login attempts.

CERT-Bund provided national CERTs with information on potentially affected servers hosted
in the respective countries yesterday.
Unfortunately, I don't have permission to share the full list of IPs with nsp-sec for
legal reasons as the malicious SSH lib contains a hardcoded backdoor password which allows
for root access to all the compromised machines.


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list