[nsp-sec] Likely compromised servers receiving harvested SSH credentials
Smith, Donald
Donald.Smith at CenturyLink.com
Wed Mar 6 17:44:59 EST 2013
I posted this to another list but can share here based on the set of ips I have been provided only these showed up receiving udp 53 packets.
count ip
> 1008 72.156.139.154
> 32 78.47.139.110
> 25 208.68.232.131
I had your ips in the filtering rules too :)
"Pampers use multiple layers of protection to prevent leakage. Rommel used defense in depth to defend European fortresses." (A.White) Donald.Smith at CenturyLink.com
>-----Original Message-----
>From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>bounces at puck.nether.net] On Behalf Of Gabriel Iovino
>Sent: Thursday, February 28, 2013 3:27 PM
>To: NSP nsp-security
>Subject: [nsp-sec] Likely compromised servers receiving harvested SSH
>credentials
>
>----------- nsp-security Confidential --------
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Greetings,
>
>A few of us have been tracking Phalanx2[1] rootkit compromises and often
>a trojaned ssh/sshd would be found with the rootkit. A recent (related)
>trojaned ssh/sshd was discussed on the ISC Diary[2].
>
>We believe the four hosts below are likely receiving harvested SSH
>credentials over port 53. These were discovered via a DGA algorithm. A
>good first indicator of this is all the port 53 traffic will be one way,
>those hosts below would not be responding to the traffic.
>
>> 45557 | 180.148.1.138 | 180.148.1.0/24 | VN | apnic |
>2009-08-24 | VNTT-AS-VN Vietnam Technology and Telecommunication JSC
>> 33724 | 208.68.232.131 | 208.68.232.0/24 | US | arin |
>2006-07-17 | BIZNESSHOSTING - VOLICO
>> 8685 | 212.58.20.10 | 212.58.16.0/21 | TR | ripencc |
>1998-03-11 | DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.
>> 6389 | 72.156.139.154 | 72.156.128.0/20 | US | arin |
>2005-08-11 | BELLSOUTH-NET-BLK - BellSouth.net Inc
>
>If we can confirm that these are receiving harvested SSH credentials
>then the following would be of interest:
>
>1. Any port 53 traffic to these hosts (minus random dns scanners) are
>likely compromised and leaking credentials. Those hosts should be
>remediated.
>
>2. The harvested credentials should be shipped to an upstream
>host/proxy. What is this host?
>
>3. These servers are compromised and should be remediated.
>
>If you can help please let me know, this is the first time the
>exfiltration host(s) has changed in some time.
>
>Gabe
>
>[1] Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux
>Rootkit
>http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-
>volatility-to.html
>
>[2] SSHD rootkit in the wild
>https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
>
>- --
>Gabriel Iovino
>Principal Security Engineer, REN-ISAC
>http://www.ren-isac.net
>24x7 Watch Desk +1(317)278-6630
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.9 (MingW32)
>
>iEYEARECAAYFAlEv2bMACgkQwqygxIz+pTuGxwCfRsjxXhYlWcXXUV1wCU98XJpv
>gMQAoJikAQmggM9rJzkPFqSKntTCr+S0
>=4v8U
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list