Translate

5/20/2014

SSH Rootkit Ebury
Category MALICIOUS IP: 203.153.108.227 (INDONESIA)
Listed at SPAMHAUS (CBL)
Linux, FreeBSD or some other form of UNIX

The IP Address 203.153.108.227 is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-05-20 07:00 GMT (+/- 30 minutes), approximately 10 hours ago.

Screenshot of 203.153.108.227


We have detected that this IP is NATting for, or is infected itself, with a Linux (or possibly some other Unix-like system such as FreeBSD) Trojan spam mailer script. This is no joke. This infection is extremely dangerous as it can download anything it wishes, and needs to be removed ASAP.

We do not know how the malware got installed onto the machine, but we know a lot of what it does. The main thing we've seen it doing is sending staggering large volumes of email spam. But it can do a lot more than that, and that is the real danger.

NEW

Of late some of these infections are facilitiated by a SSH Rootkit called "ebury". See this link for more detail.

In most cases, this IP address would be that of a shared hosting environment. If you are a customer of this environment, you will almost certainly not be able to do anything about it, only the administrators of the hosting environment itself can. Please contact your administrators, and refer them to this page. If the administrators are reluctant to do anything please try to convince them, because there is nothing you can do to fix this problem.

For further Info, please read the Screenshots made earlier in the Day (at the End of this Post).

----------------------------------------------------------------------------------------------------------------------------------------------

Analysis:

MALICIOUS IP (PHISH RISK: RouterOS router configuration page):

Heuristic.LooksLike.HTML.Suspicious-URL.E
http://203.153.108.227/
  • https://www.virustotal.com/de/url/0a964415fc55b5cdc18c0d36636601c5510eb3646d5ecf9a7513698add2a9817/analysis/1400587343/
Heuristic.LooksLike.HTML.Suspicious-URL.E
  • https://www.virustotal.com/de/file/e23ec81b12a8af1412ab02d126086162b758908f1cf3e26a3f9797c3da242a74/analysis/1400587434/
  • http://quttera.com/detailed_report/203.153.108.227
  • http://zulu.zscaler.com/submission/show/4b322c1b6dd9f1d6b3f50243c20b5c37-1400587353
  • http://www.wpbl.info/cgi-bin/detail.cgi?ip=203.153.108.227

SPAMSERVER & DICTIONARY ATTACKER:
  • https://www.projecthoneypot.org/ip_203.153.108.227
  • http://www.senderbase.org/lookup/?search_string=203.153.108.227
LISTED AT SPAMHAUS (CBL):
  • http://www.spamhaus.org/query/bl?ip=203.153.108.227
CBL LISTED:
  • http://cbl.abuseat.org/lookup.cgi?ip=203.153.108.227
OTHER MALICIOUS FILE:
http://203.153.108.227/winbox/winbox.exe
  • https://www.virustotal.com/de/url/d2563f5885fbe8174154ed20d776233135b80220e97d21b3b42b231c38e69311/analysis/1400602467/
  • https://www.virustotal.com/de/file/dcc31d4643e17d31db636c8ccc7e34d004876f18b5d48828ea37e2e8e5e19bcf/analysis/1400068690/
----------------------------------------------------------------------------------------------------------------------------------------------


Eingestellt von um
Labels: , , , , , , , , ,

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)