Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines.
But what happens next? What is the business behind these activities?
We have been investigating a criminal underground store dedicated to selling access to hacked (rooted) servers. Their customers can buy an administrator (root) account in a hacked server, and then perpetrate criminal activities from it, distribute malware, install a botnet CnC, upload illegal contents, send spam, etc ...
We are going to study the store and their business following this index:
- The criminal underground store.
- How do they break into the servers.
- Who is behind this business?
The store seems to be quite profitable. The domain was registered on 07 April 2013 and the store website was probably made available some days after that. At the time of this research, they had around 400 customers, increasing day by day.
The site is behind CloudFlare to be protected against attacks and keep the real location of the server hidden.
The logo and the welcome screen where the website is described looks like this:
In the screenshot we can see they had 13 rooted servers to be sold at that time, with different prices, locations and technical details.
You can even see the technical details of each server to check if it fits your needs.
As we have been able to see, most of the rooted servers were outdated, running pretty old software.
At first, the site accepted Liberty Reserve for the payments, but as it is closed now, they accept Perfect Money and WebMoney.
But, how did they break into the servers?
We have managed to get access to their tools and procedures to crack and collect servers. They were not using sophisticated methods to achieve their goals.
The bad actors were mainly bruteforcing user accounts for SSH and Plesk with a wordlist of common combinations of username/password.
Firstly, wide ranges of IPs were scanned using this fast and portable port scanner (named fever). It will look for 8443 and 22 open ports. The scanned ranges belonged to hosting companies.
At the time of our research, they were scanning the range 18.104.22.168/19, property of Media Temple, Inc, a hosting company located in California.
After that, they will try to break into the servers using SSH and Plesk bruteforce. To attack Plesk, a tool to automatically log in was used.
$ strings -a top
%s Eu imi bag pula in perl can’t open %s
After we have seen their business and technical internals, who is behind it?
We have found evidences that the shop administrators were Russian speakers. Some software installed in the server was set to Russian language.
We have also found that they are or were involved in carding in the past, selling hacked PayPal accounts and credit cards, as a shop for this kind of stuff is hosted in the same server.
This is a good example of what can happen to a server if it is not properly protected, or has a weak password.
System administrators should know what to do to avoid this: keep unnecessary services filtered, update your software and use strong passwords (or even better, authentication keys)!
And do not forget to monitor all communications on the network, this can help you to prevent attacks or study post-compromise forensics.