Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 11th, 2010

Compromised Web Servers Used As Botnet To Brute Force SSH

There are strong indications that unidentified hackers are currently building a botnet, possibly by exploiting a vulnerability in outdated phpMyAdmin installations, and are using it to launch SSH brute force attacks.

Apparently more and more Web server owners are finding instances of an unauthorized script called dd_ssh running on their systems. The script is located in the /tmp/ directory, runs under the same account as Apache and is apparently being used to brute force SSH logins.

The SANS Internet Storm Center (ISC) confirms detecting a recent spike in the number of unique IP addresses that participate in SSH scanning.

Data gathered by its DShield monitoring system shows that the number of SSH scanning sources increased from around 1,300 per day at the beginning of August to over 5,000 at this moment.

According to some reports attackers might exploiting a vulnerability in older versions of phpMyAdmin in order to drop dd_ssh and another file called vm.c in the tmp dir.

The vulnerability, which allows for remote code execution, is said to affect versions below 3.2.4 (Debian) and has apparently been patched back in April.

“I’ve found that many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin,” a networking and security enthusiast, who looked into the attacks, writes.

“These attacks may resemble a DDoS attack server side, but have an ulterior motive. Once discovered the version to be vulnerable, they inject the code,” he adds.

Even though the SSH brute force attacks have spiked this month, the dd_ssh script has been mentioned in various reports since June, like this one from networking appliances manufacturer F5 Networks.

Credit: News

Share this item with others:

More on CyberInsecure:
  • CERT Warns About Phalanx Attacks Against Linux Servers
  • The Number Of Infected Machines In Botnets Quadrupled In Last 3 Months
  • New Tool For Graphics Cards Threaten Wireless Networks Encryption
  • Educational And Military Networks Under Botnet attacks
  • iPhone Worm Infects Devices And Redirecs Dutch Online Bank Users To A Phishing Site

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Compromised Web Servers Used As Botnet To Brute Force SSH

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.