Security Incidents mailing list archives

Re: Steady increase in ssh scans

From: Dave Dittrich <dittrich () cac washington edu>
Date: Mon, 11 Feb 2002 17:57:53 -0800 (PST)

On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote:


Is this a normal increase considering the vulnerabilities made
public late last year?


I don't think that there is a 'normal' curve for this type of
activity.  I strongly suspect that kiddie behaviour is more a result
of fashion than rational thinking.  SSH is mearly C00l now!


I would agree with Russell.  Since several SSH exploits are now
in wide circulation, they are making their way into every rootkit and
autorooter out there (and there are many).  The increase in scanning
seems to fit typical recon/exploit cycles, with or without automation
of the exploit portion.

Is anyone (everyone) else seeing the same type of activity?


I have not done the stats but my impression is that my figures would
mirror yours.  I am now seeing about 1-2 port 22 scans a day in each
network block I monitor.


I'm also seeing scanning, with lots of syslog messages like the
following:

Feb  7 15:56:24 XXXXX sshd[19622]: Did not receive ident string from
::ffff:XX.XXX.227.164.

Has anyone seen evidence of a worm?


no, but then we have not had any compromises.  I have seen no random
probing that is favoured by most worms.  I do believe that there are
worms out there that exploit BIND problems,  I regularly see random
probes on udp 53.


I've seen two or three "autorooter" kits using SSH exploits, which
combine scanning, exploitation, log cleaning, and trojaning, all in
one kit.  These exploits are not well suited to worms, since they are
so noisy (>1MB of traffic per exploit), but I'm sure someone will
eventually try to build one anyway.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)