Have you
ever had a server open to the internet with SSH service running? Then you know
how common it is to receive break in attempts against your servers produced by
automated bots that scan wide ranges of hosts trying weak combinations of
user/password to log into remote machines.
But what happens next? What is the business behind these activities?
We have been investigating a criminal underground store dedicated to selling access to hacked (rooted) servers. Their customers can buy an administrator (root) account in a hacked server, and then perpetrate criminal activities from it, distribute malware, install a botnet CnC, upload illegal contents, send spam, etc ...
We are going to study the store and their business following this index:
- The criminal underground store.
- How do they break into the servers.
- Who is behind this business?
The store seems to be quite profitable. The domain was registered on 07 April 2013 and the store website was probably made available some days after that. At the time of this research, they had around 400 customers, increasing day by day.
The site is behind CloudFlare to be protected against attacks and keep the real location of the server hidden.
The logo and the welcome screen where the website is described looks like this:
In the screenshot we can see they had 13 rooted servers to be sold at that time, with different prices, locations and technical details.
You can even see the technical details of each server to check if it fits your needs.
As we have been able to see, most of the rooted servers were outdated, running pretty old software.
At first, the site accepted Liberty Reserve for the payments, but as it is closed now, they accept Perfect Money and WebMoney.
But, how did they break into the servers?
We have managed to get access to their tools and procedures to crack and collect servers. They were not using sophisticated methods to achieve their goals.
The bad actors were mainly bruteforcing user accounts for SSH and Plesk with a wordlist of common combinations of username/password.
Firstly, wide ranges of IPs were scanned using this fast and portable port scanner (named fever). It will look for 8443 and 22 open ports. The scanned ranges belonged to hosting companies.
At the time of our research, they were scanning the range 72.10.32.0/19, property of Media Temple, Inc, a hosting company located in California.
After that, they will try to break into the servers using SSH and Plesk bruteforce. To attack Plesk, a tool to automatically log in was used.
$ strings -a top
[...]
easy init
passwd=%s&login_name=admin
://%s:8443/login_up.php3
top.location=
%s:admin:%s
%s Eu imi bag pula in perl can’t open %s
[...]
After we have seen their business and technical internals, who is behind it?
We have found evidences that the shop administrators were Russian speakers. Some software installed in the server was set to Russian language.
We have also found that they are or were involved in carding in the past, selling hacked PayPal accounts and credit cards, as a shop for this kind of stuff is hosted in the same server.
This is a good example of what can happen to a server if it is not properly protected, or has a weak password.
System administrators should know what to do to avoid this: keep unnecessary services filtered, update your software and use strong passwords (or even better, authentication keys)!
And do not forget to monitor all communications on the network, this can help you to prevent attacks or study post-compromise forensics.
Have you
ever had a server open to the internet with SSH service running? Then you know
how common it is to receive break in attempts against your servers produced by
automated bots that scan wide ranges of hosts trying weak combinations of
user/password to log into remote machines.
But what
happens next? What is the business behind these activities?
We have
been investigating a criminal underground store dedicated to selling access
to hacked (rooted) servers. Their customers can buy an administrator (root)
account in a hacked server, and then perpetrate criminal activities from it,
distribute malware, install a botnet CnC, upload illegal contents, send spam,
etc ...
We are
going to study the store and their business following this index:
- The
criminal underground store.
- How do
they break into the servers.
- Who is
behind this business?
The store
seems to be quite profitable. The domain was registered on 07 April 2013 and
the store website was probably made available some days after that. At the time
of this research, they had around 400 customers, increasing day by day.
The site
is behind CloudFlare to be protected against attacks and keep the real location
of the server hidden.
The logo
and the welcome screen where the website is described looks like this:
In the
screenshot we can see they had 13 rooted servers to be sold at that time, with
different prices, locations and technical details.
You can
even see the technical details of each server to check if it fits your needs.
As we
have been able to see, most of the rooted servers were outdated, running pretty
old software.
At first,
the site accepted Liberty Reserve for the payments, but as it
is closed now, they
accept Perfect Money and WebMoney.
But, how
did they break into the servers?
We have
managed to get access to their tools and procedures to crack and collect
servers. They were not using sophisticated methods to achieve their goals.
The bad
actors were mainly bruteforcing user accounts for SSH and Plesk with a wordlist
of common combinations of username/password.
Firstly,
wide ranges of IPs were scanned using this fast and portable port scanner
(named fever). It will look for 8443 and 22 open ports. The scanned ranges
belonged to hosting companies.
At the
time of our research, they were scanning the range 72.10.32.0/19, property of Media Temple, Inc, a hosting company located in California.
After
that, they will try to break into the servers using SSH and Plesk bruteforce.
To attack Plesk, a tool to automatically log in was
used.
$ strings -a top
[...]
easy init
passwd=%s&login_name=admin
://%s:8443/login_up.php3
top.location=
%s:admin:%s
%s Eu imi
bag pula in perl can’t open %s
[...]
After we
have seen their business and technical internals, who is behind it?
We have
found evidences that the shop administrators were Russian speakers. Some
software installed in the server was set to Russian language.
We have
also found that they are or were involved in carding in the past, selling
hacked PayPal accounts and credit cards, as a shop for this kind of stuff is
hosted in the same server.
This is a
good example of what can happen to a server if it is not properly protected, or
has a weak password.
System
administrators should know what to do to avoid this: keep unnecessary services
filtered, update your software and use strong passwords (or even better,
authentication keys)!
And do
not forget to monitor all communications on the network, this can help you to
prevent attacks or study post-compromise forensics.
No comments:
Post a Comment