RDP Brute Forcer / Infection

The following have been RDP brute forcing and, once in, copy a file from their local machine. I think it uses Adobe Air as one of the components.
What confuses me more is the infected server was on a managed broadband service that has heavy firewalling and multiple NAT layers. Pretty baffling how an RDP connection was made to the machine, pending further investigation.
I presume the managed broadband provider has accentually 1:1 natted an IP.

The initial connection was made from…

5.104.173.51
inetnum: 5.104.173.0 – 5.104.173.255
netname: ICN-BG
descr: ICN Ltd.
country: BG
admin-c: AZ3665-RIPE
tech-c: ND2157-RIPE
status: ASSIGNED PA
mnt-by: AZ39139-MNT
mnt-lower: ICN-BG-MNT
mnt-domains: ICN-BG-MNT
mnt-routes: ICN-BG-MNT
source: RIPE # Filtered

person: Andon Zlatev
address: 122 Ovche pole str.
address: Sofia, Bulgaria
phone: +35924903211
nic-hdl: AZ3665-RIPE
mnt-by: AZ39139-MNT
source: RIPE # Filtered

person: Nedko Dimitrov
address: 122 Ovche pole str.
address: Sofia, Bulgaria
phone: +359 893590193
nic-hdl: ND2157-RIPE
mnt-by: AZ39139-MNT
source: RIPE # Filtered

More Info from RIPEstat
route: 5.104.173.0/24
descr: ICN Ltd.
origin: AS49699
mnt-by: AZ39139-MNT
source: RIPE # Filtered

Then following multiple connections from…
164.58.104.202 which has a reverse and forward DNS of fs.cyber.rose.edu
NetRange 164.58.104.0 – 164.58.104.255
CIDR 164.58.104.0/24
Name ONENET-0000003006-0000003496
Handle NET-164-58-104-0-1
Parent ONENET (NET-164-58-0-0-1)
Net Type Reassigned
Origin AS
Customer Rose State MWC (C00406267)
Name Rose State MWC
Handle C00406267
Street Attn: Jim Beavers
6420 S.E. 15th
City Midwest City
State/Province OK
Postal Code 73110
Country US

I’ve contacted rose.edu and was given a contact email address and have been in touch to warn them that their systems have potentially been compromised.

Edit: I wonder if this hack is related to an attempt to infect PoS (Point of Sale) systems – the username / password used to hack is in the article, the hackers seemed very quick to get in after the first scan and used a host that was less likely to be identified as suspicious access and reconnected to the system multiple times.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s