Security Incidents mailing list archives
Re: Steady increase in ssh scans
From: Dave Dittrich <dittrich () cac washington edu>
Date: Mon, 11 Feb 2002 17:57:53 -0800 (PST)
On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote:Is this a normal increase considering the vulnerabilities made public late last year?I don't think that there is a 'normal' curve for this type of activity. I strongly suspect that kiddie behaviour is more a result of fashion than rational thinking. SSH is mearly C00l now!
I would agree with Russell. Since several SSH exploits are now in wide circulation, they are making their way into every rootkit and autorooter out there (and there are many). The increase in scanning seems to fit typical recon/exploit cycles, with or without automation of the exploit portion.
Is anyone (everyone) else seeing the same type of activity?I have not done the stats but my impression is that my figures would mirror yours. I am now seeing about 1-2 port 22 scans a day in each network block I monitor.
I'm also seeing scanning, with lots of syslog messages like the following: Feb 7 15:56:24 XXXXX sshd[19622]: Did not receive ident string from ::ffff:XX.XXX.227.164.
Has anyone seen evidence of a worm?no, but then we have not had any compromises. I have seen no random probing that is favoured by most worms. I do believe that there are worms out there that exploit BIND problems, I regularly see random probes on udp 53.
I've seen two or three "autorooter" kits using SSH exploits, which combine scanning, exploitation, log cleaning, and trojaning, all in one kit. These exploits are not well suited to worms, since they are so noisy (>1MB of traffic per exploit), but I'm sure someone will eventually try to build one anyway. -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
- Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
- Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
- Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)