Re: fast ssh scans

From: Daniel Martin (dtmartin24at_private)
Date: Thu Oct 18 2001 - 09:33:36 PDT

  • Next message: Alan Wright: "Re: many port 4599 probes"

    Can Erkin Acar <canacarat_private> writes:
    
    > Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 27, id 39426)
    > Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 <mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236)
    > 
    > * SSH log of the same machine: Shows that the second probe was a real
    >   connection (not a SYN scan). It is probably used to collect version
    >   information from the server. I believe it is NOT scanssh since scanssh
    >   does send a version string.
    > 
    > Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from 209.26.178.170.
    > 
    > It looks like a custom tool looking for vulnerable sshd versions.
    > Has anyone encountered something similiar?
    
    It looks like a synscan variant.  synscan's C source code is designed
    so that it's easy to take the general framework (SF scan of an IP
    range, followed by a fork() that does a regular connect to the port)
    and plug in custom strings to look for in the connect message.  The
    pattern I've seen before (the ramen worm worked this way) was that
    synscan would write vulnerable IP addresses to a file, and then some
    separate exploit program would then be run against each IP in that
    file.  (The ramen worm had a driver script that ran a loop with "tail
    -f" on the output file so that it could attempt to break into machines
    while synscan was still scanning)
    
    Telltale signs of a synscan variant: 
    - SYN+FIN scan followed by an almost immediate regular SYN to open
      hosts.  (Doesn't this rather defeat the point of running a SYN+FIN
      scan in the first place?  Isn't it the point of a SYN+FIN scan to
      avoid being detected by those hosts that aren't running a firewall
      but do log regular connections to open ports?)
    - IP id 39426 (This is what you get when your source code says 
            ip->id = 666;
      and you compile on a little-endian machine, like intel-based linux
      boxes) on the SYN+FIN scan
    - Source port == Destination port (again, on the SYN+FIN scan - the
      synscan program uses this to distinguish FIN responses from open
      scanned machines from other unrelated incoming FIN packets)
    
    So as for the tool used, it's synscan; however, this doesn't tell you
    which ssh versions they were looking for nor which tool they would run
    against your machines had they found a vulnerable box.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 10:20:21 PDT