[nsp-sec] Botnet takedown - Chinese SSH Brute Force
Mike Tancsa
mike at sentex.net
Wed Apr 8 14:17:32 EDT 2015
Thank you!!!! It was very depressing that they have been scanning with
such impunity for so long :( They compromised a customer server March
29th and were using it to DoS 218.90.200.73 for whatever reason. The
pattern was almost exactly that of the fireeye description. After they
brute forced the root passwd from 103.41.124.94 (it was not that weak),
they logged in from the IP 107.182.140.139 (march 29th, 12:58:38pm EDT)
and setup their root kit
---Mike
On 4/8/2015 1:52 PM, Wentworth, Brett wrote:
> ----------- nsp-security Confidential --------
>
> Just a heads up that Level 3 conducted a botnet takedown yesterday. Part of the activity of this botnet is extreme SSH brute force scanning. At one point throughout the previous 30 dates we saw this comprising over 30% of the total global SSH traffic, so they aren’t being subtle The purpose of this notice is to hopefully persuade you all to take similar action at your border. Infected hosts we have seen communicating with the C2 will be forthcoming.
>
> SSH Brute Force Scanning
> 43.255.190.0/23 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
> 43.255.190.0/24 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
>
> C2:
> 103.240.140.152/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
> 103.240.141.54/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
> 103.240.141.50/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
> 104.143.5.25/32 (ASN 36114 Versaweb, 53340 Fiberhub, 2914 NTT)
>
> Malware Hosting:
> 23.234.60.140/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
> 23.234.60.143/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
> 23.234.19.202/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484 Hostspace)
>
> Further details can be found in the attached report (some of the IPs have changed but the behavior is the same):
> http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
> https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
>
>
> Regards,
>
> Level (3) Communications
> Network Security Operations
> Level3-SOC at level3.com<mailto:Level3-SOC at level3.com>
> 720.888.0012
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list