Irregular Expressions

Apr 28 2013   1:55AM GMT

SSH Brute Force Scanner – Part 6

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Well after working with the scanner for a couple hours I cannot seem to entice any other behavior out of it other then collecting a list of IP’s and associated logins.  Also after more static analysis of it I cannot see anything that says it will do more then that.

I did do some looking around on the Internet to see what else comes up with ‘unixcod’, there was lots of talk but I found a couple links that are worth sharing.

First check out this thread about a hacked web server.  Does that not look familiar?


unix]# ls -al
total 4352
drwxr-xr-x 2 apache apache 360 Jun 3 23:47 .
drwxrwxrwt 3 root root 60 Jun 3 00:24 ..
-rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22
-rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22
-rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22
-rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22
-rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22
-rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22
-rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22
-rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22
-rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22
-rwxr-xr-x 1 apache apache 216 May 18 2005 auto
-rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf
-rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find
-rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log
-rwxr-xr-x 1 apache apache 751 May 25 06:33 unix
-rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt
-rwxr-xr-x 1 apache apache 671 May 25 13:56 x

The only addition file is ‘x’ which seems to be a copy of ‘unix’ in this case.

The other link is a pastbin dump.  It is a long one.  Someone has uploaded a chat log of IRC sessions.  What appears to be going on is a group is working on locating servers with root and what they mention as just smtp.  They are using the compromised servers for spam of financial users.  It sure seems like they are phising, but nothing that says it 100%.  Also I am unsure of what the smtp is, but I think they are looking for mail servers that they can use for mass mailings.  They are also using unixcod for collecting of these accounts, there is more then a few dumps of logins posted in that pastbin.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: