Compromised Web Servers Used to Build SSH Brute Force Botnet

There are strong indications that unidentified hackers are currently building a botnet, possibly by exploiting a vulnerability in outdated phpMyAdmin installations, and are using it to launch SSH brute force attacks.

Apparently more and more Web server owners are finding instances of an unauthorized script called dd_ssh running on their systems

The script is located in the /tmp/ directory, runs under the same account as Apache and is apparently being used to brute force SSH logins.

The SANS Internet Storm Center (ISC) confirms detecting a recent spike in the number of unique IP addresses that participate in SSH scanning.

Data gathered by its DShield monitoring system shows that the number of SSH scanning sources increased from around 1,300 per day at the beginning of August to over 5,000 at this moment.

According to some reports attackers might exploiting a vulnerability in older versions of phpMyAdmin in order to drop dd_ssh and another file called vm.c in the tmp dir.

The vulnerability, which allows for remote code execution, is said to affect versions below 3.2.4 (Debian) and has apparently been patched back in April.

"I've found that many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin," a networking and security enthusiast, who looked into the attacks, writes.

"These attacks may resemble a DDoS attack server side, but have an ulterior motive. Once discovered the version to be vulnerable, they inject the code," he adds.

Even though the SSH brute force attacks have spiked this month, the dd_ssh script has been mentioned in various reports since June, like this one from networking appliances manufacturer F5 Networks.

You can follow the editor on Twitter @lconstantin