Server Yard Sale
Aug 17, 2016
Most people are under the impression that gaining unauthorized access to someones computer network requires Hollywood level skills, money, and determination. We have this image of a squirrelly young adult wearing glasses, typing away at a keyboard faster than the speed of light, yelling I need to debug 16 million lines of code to bypass the compressor and hack into the security mainframe!, intruding into our networks. What if I were to say you only need $6 to be this superstar hacker? Ladies and gentlemen meet xDedic, an underground online marketplace where anyone can purchase more than 70,000 hacked servers from all around the Internet starting at just $6.
Below you can see screenshots of xDedics login page, sale item details, and user interface that allows for very specific search parameters. These photos are courtesy of Kaspersky Lab’s Global Research & Analysis Team:
Server types for sale range from databases and web servers to government infrastructure and corporations. The most expensive servers in the marketplace cost upwards of $6,000 USD. The creators of xDedic also developed profiling software to categorize all of the servers for sale on the marketplace. Specific focus of this profiling software is in accounting, tax reporting and point-of -sale (PoS) software. Most likely the reason for this is that malicious users of this marketplace want to know where the money is. Examples of the kinds of software the profiling agent looks for are listed below:
It is my recommendation that web administrators and security administrators alike check the compromised server pastebin postings for any IP addresses affiliated with their company. These can be found here:
Or lovely Kasperskys full combined list of IPs with country code based on the GeoIP here:
Over 60,000 of these servers posted are USA IP addresses. If any of these IP addresses are found to be owned by your company, contact your Computer Emergency Response Team or local law enforcement to assist in handling this situation. Additionally I would make sure to block many of these IP addresses as they house compromised infrastructure.