RE: Voluminous SSHd scanning; possible worm activity?

["Gommers, Joep" <JGommers () gfo nl>]

The reason for all the scans on port 22 are not worms, it's the whole
scriptkiddie world that is scanning your ports for SSH versions:

        1.2.27
        1.2.28
        1.2.29
        1.2.30
        1.2.3
        1.2.31
        2.1.1
        2.2.0p1
        
This are the versions that can be attacked by Scut@TESO's SSH exploit. Since
a few weeks orso, this exploit had reached the scriptkiddie world. Also the
'X2' exploit that is fewer seen but more effective is beginning to enter
here.

Also SSH versions 2.0.x and 2.9.2 have not yet published exploit around.

It's like the time where the wuftpd deamon versions 2.4.0 2.5.0 and 2.6.0
first had it's public exploit.

Anyway, i suggest you patch ssh to > 3.0.1(this has a local exploit). Or use
a telnetd > 0.17.

Sincerely, 

Joep Gommers




On Mon, 10 Dec 2001, Neil Dickey wrote:

> >     I've been seeing a lot of SSHd scans of late.
> [ ... ]
> >     Has anyone else seen this sort of thing from their systems?
>
> Until a month or two ago we *never* saw scans to port 22.  Now they are
> common, though I'm not seeing anything like the intensity you describe. 
> In a week I might see as many as six, total, and that would be a heavy
> week for me. 

        Right now, the scans I'm seeing are coming in at around six in a
day.  Started four days ago.

> Most of what I detect appear to be SYN scans.  Has anyone done a
> honeypot study to find out what weaknesses are being exploited, or is it
> just the usual bug in SSH1? 

        Perhaps we should touch base with the HoneyNet crew and see what
they've discovered?

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPBTjS7lDRyqRQ2a9AQHNPgQAlvrQgvUHEYYOfJeIfSj7mG4fKSfQjpaC
eClyziq6jyziKpBecokq6jbSk9bP2K+ywZRf2oYXDDnU7ufnBjQuGIBxFNehu6VA
1//K57kbk5MCuquOnwZHAdf3VwLoOadW4CDdZffNIBwom9pXo+FzIHnZTLjfNK+g
CVVlZJNbSN8=
=cRfx
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com