21 Oct
2015
21 Oct
'15
8:56 p.m.
On Wed, Oct 21, 2015 at 04:15:24PM +0100, Ian wrote:
I would be wondering about the other people who know
the password
for this one except that if it knew the password, why did the IP
address fail the previous day?
It may simply be that they got the passwords wrong the first few times?
It looks like manual login attepmts (given that they tried a few times
to get iptables right), so this may well be the explanation.
.. which, if I understand it correctly, is redirecting
DNS requests
to that IP address (various sites reckon that's a site in Germany,
chipmanuals.com, apparently owned by someone in Tbilisi, Georgia...)
Which of course may also be compromised.
Secondly, on Sunday various files were placed in
/tmp/.estbuild
including a copy of nginx.
This seems to have been serving a version of the Dridex trojan in
the form of a Windows .exe file from (domain name)/uniq/* before
passing the request onto Apache to 404 the /uniq/ URLs. Fortunately,
because of how it was set up, only requests to the server's own
domain name were affected and it looks like that only had about
three human visitors in that time, one of whom complained.
Yes, that looks like Dridex, see e.g.
https://twitter.com/khast3x/status/656390695062740992
FWIW I think XML-RPC is an unlikely attack factor, assuming the password
isn't a dictionary word or something similar. The attack speeds up
brute-force attacks significantly, but it remains brute-force.
Logjam sounds even less likely, as it's relatively expensive and
requires a man-in-the-middle position.
Also, I think the root access they got on the server is far more
powerful than merely having access to WordPress. So it's not impossible
that they used the latter kind of access and somehow used that to
escalate to SSH.
Are you ok with me forwarding your email to some security researchers?
They'd probably be happy to help you. Dridex survived a huge takedown
effort from the FBI and others (the botherder was arrested). This makes
it a very hot topic in security circles.
Martijn.