Pretty stealthy SSH scanning seen on the Internet.

From: Erik Fichtner (techsat_private)
Date: Sun Sep 09 2001 - 11:40:36 PDT

  • Next message: Dug Song: "Re: Pretty stealthy SSH scanning seen on the Internet." 

    Hi all, 

Spotted a pretty interesting bit of activity this morning from what appears
to be a compromised x86 Cobalt (linux).     The thing was either
slow-scanning the network, or doing some kind of interleaved scan that
makes it appear to be a slow-scan on the target networks.  The initial
behavior is to scan a host with a SYN packet with matching source and
destination ports, and if the host is responsive, it launches another 
thread to make an actual connect() to the ssh port to gather version
information.


Host side logging returns messages like the following:
Sep  9 15:21:22 hostA sshd[64608]: Did not receive ident string from 199.171.27.50.
Sep  9 15:28:46 hostB sshd[14887]: log: Connection from 199.171.27.50 port 3544
Sep  9 15:38:56 hostC sshd[27771]: Did not receive identification string from 199.171.27.50.     

The actual packets involved in the scan are rather interesting, and may
indicate that the tool in use is leaky about itself and can thus be
fingerprinted.   I can't make this determination yet, as I have not yet
seen enough data from enough different hosts.  

When the thing is scanning unresponsive hosts, the following behavior is
seen:

16:48:53.182470 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 1930393454:1930393454(0) win 39631 (ttl 114, id 51449)
  0000: 4500 0028 c8f9 0000 7206 29d6 c7ab 1b32  E..(Èù..r.)ÖÇ«.2
  0010: xxxx xxxx 0016 0016 730f 776e 3e1b e0b9  xxxx....s.wn>.à¹
  0020: 5002 9acf b593 0000 8888 8888 8888       P..ϵ.........

16:51:39.680908 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 290031809:290031809(0) win 61477 (ttl 126, id 22534)
  0000: 4500 0028 5806 0000 7e06 8ec8 c7ab 1b32  E..(X...~..ÈÇ«.2
  0010: xxxx xxxx 0016 0016 1149 88c1 4f0b 9b62  xxxx.....I.ÁO..b
  0020: 5002 f025 e516 0000 8888 8888 8888       P.ð%å.........

16:54:42.110365 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 49304050:49304050(0) win 308 (ttl 131, id 24402)
  0000: 4500 0028 5f52 0000 8306 827b c7ab 1b32  E..(_R.....{Ç«.2
  0010: xxxx xxxx 0016 0016 02f0 51f2 5a03 3cde  xxxx.....ðQòZ.<Þ
  0020: 5002 0134 6cbc 0000 8888 8888 8888       P..4l¼........

16:57:39.168075 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 185233515:185233515(0) win 41839 (ttl 132, id 65134)
  0000: 4500 0028 fe6e 0000 8406 e25d c7ab 1b32  E..(þn....â]Ç«.2
  0010: xxxx xxxx 0016 0016 0b0a 706b 6d9d 48fe  xxxx......pkm.Hþ
  0020: 5002 a36f 8432 0000 8888 8888 8888       P.£o.2........


We see that the ttl jumps around a lot and that each of the SYN packets ends 
with "0000 8888 8888 8888".  Since this is a hand-crafted packet, this seems 
to suggest a bug in the scanner that can be fingerprinted.  
You'll note that the scan attempts come in at nearly three minute intervals.




When the thing is scanning hosts that are active, yet do not have anything
listening on port 22, the following behavior is seen:

17:16:31.108438 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 408054011:408054011(0) win 18369 (ttl 121, id 46650)
  0000: 4500 0028 b63a 0000 7906 358b c7ab 1b32  E..(¶:..y.5.Ç«.2
  0010: xxxx xxxx 0016 0016 1852 68fb 1cb1 abaa  xxxx.....Rhû.±«ª
  0020: 5002 47c1 c841 0000 8888 8888 8888       P.GÁÈA........

17:16:31.109072 xx.xx.xx.xx.22 > 199.171.27.50.22: R [tcp sum ok] 0:17(17) ack 408054012 win 0 (DF) (ttl 119, id 33967)
  0000: 4500 0039 84af 4000 7706 2905 xxxx xxxx  E..9.¯@.w.).xxxx
  0010: c7ab 1b32 0016 0016 0000 0000 1852 68fc  Ç«.2.........Rhü
  0020: 5014 0000 9368 0000 6e6f 2074 6370 2c20  P....h..no tcp, 
  0030: 7265 7365 742f 6163 6b                   reset/ack


Same behavior from the scanning host.   (And an interesting peice of
fingerprint data from the MacOS 8.6 machine that was scanned, too. "no tcp,
reset/ack".   Cute.   But, I digress...)




When the thing is scanning hosts that actually have listening ssh daemons,
the following behavior is seen:

17:26:52.875870 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 282101904:282101904(0) win 942 (ttl 116, id 31936)
  0000: 4500 0028 7cc0 0000 7406 7401 c7ab 1b32  E..(|À..t.t.Ç«.2
  0010: xxxx xxxx 0016 0016 10d0 8890 413c 8430  xxxx.....Ð..A<.0
  0020: 5002 03ae f72c 0000 8888 8888 8888       P..®÷,........

17:26:52.880542 xx.xx.xx.xx.22 > 199.171.27.50.22: S [tcp sum ok] 3746038458:3746038458(0) ack 282101905 win 16384 <mss 1460> (DF) (ttl 63, id 77)
  0000: 4500 002c 004d 4000 3f06 e570 xxxx xxxx  E..,.M@.?.åpxxxx
  0010: c7ab 1b32 0016 0016 df48 02ba 10d0 8891  Ç«.2....ßH.º.Ð..
  0020: 6012 4000 8677 0000 0204 05b4            `.@..w.....´

17:26:52.905167 199.171.27.50.22 > xx.xx.xx.xx.22: R [tcp sum ok] 282101905:282101905(0) win 0 (ttl 246, id 27635)
  0000: 4500 0028 6bf3 0000 f606 02ce c7ab 1b32  E..(kó..ö..ÎÇ«.2
  0010: xxxx xxxx 0016 0016 10d0 8891 0000 0000  xxxx.....Ð......
  0020: 5004 0000 c044 0000 8888 8888 8888       P...ÀD........

17:26:52.968216 199.171.27.50.3739 > xx.xx.xx.xx.22: S [tcp sum ok] 1472546361:1472546361(0) win 32120 <mss 1460,sackOK,timestamp 1463391690,nop,wscale 0> (DF) (ttl 55, id 27641)
  0000: 4500 003c 6bf9 4000 3706 81b4 c7ab 1b32  E..<kù@.7..´Ç«.2
  0010: xxxx xxxx 0e9b 0016 57c5 4639 0000 0000  xxxx....WÅF9....
  0020: a002 7d78 c9b6 0000 0204 05b4 0402 080a   .}xɶ.....´....
  0030: 08b8 f561 0000 0000 0103 0300            .¸õa........

17:26:52.972942 xx.xx.xx.xx.22 > 199.171.27.50.3739: S [tcp sum ok] 2342206147:2342206147(0) ack 1472546362 win 17376 <mss 1460,nop,wscale 0,nop,nop,timestamp 266800 146339169> (DF) (ttl 63, id 78)
  0000: 4500 003c 004e 4000 3f06 e55f xxxx xxxx  E..<.N@.?.å_xxxx
  0010: c7ab 1b32 0016 0e9b 8b9b 3ac3 57c5 463a  Ç«.2......:ÃWÅF:
  0020: a012 43e0 2dac 0000 0204 05b4 0103 0300   .Cà-¬.....´....
  0030: 0101 080a 0004 1230 08b8 f561            .......0.¸õa

17:26:52.998489 199.171.27.50.3739 > xx.xx.xx.xx.22: . [tcp sum ok] ack 1 win 32120 <nop,nop,timestamp 146339172 266800> (DF) (ttl 55, id 27643)
  0000: 4500 0034 6bfb 4000 3706 81ba c7ab 1b32  E..4kû@.7..ºÇ«.2
  0010: xxxx xxxx 0e9b 0016 57c5 463a 8b9b 3ac4  xxxx....WÅF:..:Ä
  0020: 8010 7d78 1fd5 0000 0101 080a 08b8 f564  ..}x.Õ.......¸õd
  0030: 0004 1230                                ...0

17:26:53.017523 xx.xx.xx.xx.22 > 199.171.27.50.3739: P [tcp sum ok] 1:51(50) ack 1 win 17376 <nop,nop,timestamp 266805 146339172> (DF) (ttl 63, id 80)
  0000: 4500 0066 0050 4000 3f06 e533 xxxx xxxx  E..f.P@.?.å3xxxx
  0010: c7ab 1b32 0016 0e9b 8b9b 3ac4 57c5 463a  Ç«.2......:ÄWÅF:
  0020: 8018 43e0 4e4d 0000 0101 080a 0004 1235  ..CàNM.........5
  0030: 08b8 f564 5353 482d 312e 3939 2d4f 7065  .¸õdSSH-1.99-Ope
  0040: 6e53 5348 5f32 2e33 2e30 2067 7265 656e  nSSH_2.3.0 green
  0050: 4046 7265 6542 5344 2e6f 7267 2032 3030  @FreeBSD.org 200
  0060: 3130 3332 310a                           10321.

17:26:53.043490 199.171.27.50.3739 > xx.xx.xx.xx.22: . [tcp sum ok] ack 51 win 32120 <nop,nop,timestamp 146339176 266805> (DF) (ttl 55, id 27644)
  0000: 4500 0034 6bfc 4000 3706 81b9 c7ab 1b32  E..4kü@.7..¹Ç«.2
  0010: xxxx xxxx 0e9b 0016 57c5 463a 8b9b 3af6  xxxx....WÅF:..:ö
  0020: 8010 7d78 1f9a 0000 0101 080a 08b8 f568  ..}x.........¸õh
  0030: 0004 1235                                ...5

17:26:53.048075 199.171.27.50.3739 > xx.xx.xx.xx.22: F [tcp sum ok] 1:1(0) ack 51 win 32120 <nop,nop,timestamp 146339176 266805> (DF) (ttl 55,
id 27648)
  0000: 4500 0034 6c00 4000 3706 81b5 c7ab 1b32  E..4l.@.7..怮.2
  0010: xxxx xxxx 0e9b 0016 57c5 463a 8b9b 3af6  xxxx....WÅF:..:ö
  0020: 8011 7d78 1f99 0000 0101 080a 08b8 f568  ..}x.........¸õh
  0030: 0004 1235                                ...5

17:26:53.052916 xx.xx.xx.xx.22 > 199.171.27.50.3739: . [tcp sum ok] ack 2 win 17376 <nop,nop,timestamp 266808 146339176> (DF) (ttl 63, id 81)
  0000: 4500 0034 0051 4000 3f06 e564 xxxx xxxx  E..4.Q@.?.ådxxxx
  0010: c7ab 1b32 0016 0e9b 8b9b 3af6 57c5 463b  Ç«.2......:öWÅF;
  0020: 8010 43e0 592e 0000 0101 080a 0004 1238  ..CàY..........8
  0030: 08b8 f568                                .¸õh

17:26:53.053975 xx.xx.xx.xx.22 > 199.171.27.50.3739: F [tcp sum ok] 51:51(0) ack 2 win 17376 <nop,nop,timestamp 266808 146339176> (DF) (ttl 63, id 82)
  0000: 4500 0034 0052 4000 3f06 e563 xxxx xxxx  E..4.R@.?.åcxxxx
  0010: c7ab 1b32 0016 0e9b 8b9b 3af6 57c5 463b  Ç«.2......:öWÅF;
  0020: 8011 43e0 592d 0000 0101 080a 0004 1238  ..CàY-.........8
  0030: 08b8 f568                                .¸õh

17:26:53.079485 199.171.27.50.3739 > xx.xx.xx.xx.22: . [tcp sum ok] ack 52 win 32120 <nop,nop,timestamp 146339180 266808> (DF) (ttl 55, id 27654)
  0000: 4500 0034 6c06 4000 3706 81af c7ab 1b32  E..4l.@.7..¯Ç«.2
  0010: xxxx xxxx 0e9b 0016 57c5 463b 8b9b 3af7  xxxx....WÅF;..:÷
  0020: 8010 7d78 1f91 0000 0101 080a 08b8 f56c  ..}x.........¸õl
  0030: 0004 1238                                ...8




We see the same "0000 8888 8888 8888" packet trailer on both the SYN and
RST packets sent by the initial scanning utility, and then we immediately
see a connect() attempt to the same system to gather the version
identification string.



Anyone else seen this, or have any further information? 


Thanks.

-- 
                        Erik Fichtner; Unix Ronin
                    http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself.  Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw

    This archive was generated by hypermail 2b30 : Sun Sep 09 2001 - 14:33:38 PDT