Most people are under the impression that gaining unauthorized access to someones computer network requires Hollywood level skills, money, and determination. We have this image of a squirrelly young adult wearing glasses, typing away at a keyboard faster than the speed of light, yelling I need to debug 16 million lines of code to bypass the compressor and hack into the security mainframe!, intruding into our networks. What if I were to say you only need $6 to be this superstar hacker? Ladies and gentlemen meet xDedic, an underground online marketplace where anyone can purchase more than 70,000 hacked servers from all around the Internet starting at just $6.

Below you can see screenshots of xDedics login page, sale item details, and user interface that allows for very specific search parameters. These photos are courtesy of Kaspersky Lab’s Global Research & Analysis Team:

 

Server types for sale range from databases and web servers to government infrastructure and corporations. The most expensive servers in the marketplace cost upwards of $6,000 USD. The creators of xDedic also developed profiling software to categorize all of the servers for sale on the marketplace. Specific focus of this profiling software is in accounting, tax reporting and point-of -sale (PoS) software. Most likely the reason for this is that malicious users of this marketplace want to know where the money is. Examples of the kinds of software the profiling agent looks for are listed below:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It is my recommendation that web administrators and security administrators alike check the compromised server pastebin postings for any IP addresses affiliated with their company. These can be found here:

http://pastebin.com/KCNJPDZZ

http://pastebin.com/E5YRNpgP

http://pastebin.com/qse8pTZR

http://pastebin.com/yNg2XCX1

http://pastebin.com/wNpvwW8z

http://pastebin.com/nVJ6r2ha

http://pastebin.com/VQAr9tut

http://pastebin.com/d4jVhs9M

http://pastebin.com/p7qK9pGh

http://pastebin.com/48eZAwCW

 

Or lovely Kasperskys full combined list of IPs with country code based on the GeoIP here:

https://kas.pr/TM5V

Over 60,000 of these servers posted are USA IP addresses. If any of these IP addresses are found to be owned by your company, contact your Computer Emergency Response Team or local law enforcement to assist in handling this situation. Additionally I would make sure to block many of these IP addresses as they house compromised infrastructure.