Security Incidents mailing list archives
RE: Voluminous SSHd scanning; possible worm activity?
From: "Gommers, Joep" <JGommers () gfo nl>
Date: Tue, 11 Dec 2001 14:12:24 +0100
The reason for all the scans on port 22 are not worms, it's the whole scriptkiddie world that is scanning your ports for SSH versions: 1.2.27 1.2.28 1.2.29 1.2.30 1.2.3 1.2.31 2.1.1 2.2.0p1 This are the versions that can be attacked by Scut@TESO's SSH exploit. Since a few weeks orso, this exploit had reached the scriptkiddie world. Also the 'X2' exploit that is fewer seen but more effective is beginning to enter here. Also SSH versions 2.0.x and 2.9.2 have not yet published exploit around. It's like the time where the wuftpd deamon versions 2.4.0 2.5.0 and 2.6.0 first had it's public exploit. Anyway, i suggest you patch ssh to > 3.0.1(this has a local exploit). Or use a telnetd > 0.17. Sincerely, Joep Gommers On Mon, 10 Dec 2001, Neil Dickey wrote:
I've been seeing a lot of SSHd scans of late.[ ... ]Has anyone else seen this sort of thing from their systems?Until a month or two ago we *never* saw scans to port 22. Now they are common, though I'm not seeing anything like the intensity you describe. In a week I might see as many as six, total, and that would be a heavy week for me.
Right now, the scans I'm seeing are coming in at around six in a day. Started four days ago.
Most of what I detect appear to be SYN scans. Has anyone done a honeypot study to find out what weaknesses are being exploited, or is it just the usual bug in SSH1?
Perhaps we should touch base with the HoneyNet crew and see what they've discovered? - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPBTjS7lDRyqRQ2a9AQHNPgQAlvrQgvUHEYYOfJeIfSj7mG4fKSfQjpaC eClyziq6jyziKpBecokq6jbSk9bP2K+ywZRf2oYXDDnU7ufnBjQuGIBxFNehu6VA 1//K57kbk5MCuquOnwZHAdf3VwLoOadW4CDdZffNIBwom9pXo+FzIHnZTLjfNK+g CVVlZJNbSN8= =cRfx -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Voluminous SSHd scanning; possible worm activity?, (continued)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
- Re: Voluminous SSHd scanning; possible worm activity? Clarissa Cook (Dec 17)
- Re: Voluminous SSHd scanning; possible worm activity? Neil Dickey (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Damien Miller (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Bertrand Lupart (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Jonathan Bloomquist (Dec 13)
- RE: Voluminous SSHd scanning; possible worm activity? jon schatz (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Paul Gear (Dec 13)
- Re: Voluminous SSHd scanning; possible worm activity? Sam Ferrell (Dec 14)