Network, Security
Server Yard Sale
Aug 17, 2016
Below you can see screenshots of xDedics login page, sale item details, and user interface that allows for very specific search parameters. These photos are courtesy of Kaspersky Lab’s Global Research & Analysis Team:
Server types for sale range from databases and web servers to government infrastructure and corporations. The most expensive servers in the marketplace cost upwards of $6,000 USD. The creators of xDedic also developed profiling software to categorize all of the servers for sale on the marketplace. Specific focus of this profiling software is in accounting, tax reporting and point-of -sale (PoS) software. Most likely the reason for this is that malicious users of this marketplace want to know where the money is. Examples of the kinds of software the profiling agent looks for are listed below:
It is my recommendation that web administrators and security administrators alike check the compromised server pastebin postings for any IP addresses affiliated with their company. These can be found here:
http://pastebin.com/KCNJPDZZ
http://pastebin.com/E5YRNpgP
http://pastebin.com/qse8pTZR
http://pastebin.com/yNg2XCX1
http://pastebin.com/wNpvwW8z
http://pastebin.com/nVJ6r2ha
http://pastebin.com/VQAr9tut
http://pastebin.com/d4jVhs9M
http://pastebin.com/p7qK9pGh
http://pastebin.com/48eZAwCW
Or lovely Kasperskys full combined list of IPs with country code based on the GeoIP here:
Over 60,000 of these servers posted are USA IP addresses. If any of these IP addresses are found to be owned by your company, contact your Computer Emergency Response Team or local law enforcement to assist in handling this situation. Additionally I would make sure to block many of these IP addresses as they house compromised infrastructure.