Can Erkin Acar <canacarat_private> writes: > Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 27, id 39426) > Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 <mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236) > > * SSH log of the same machine: Shows that the second probe was a real > connection (not a SYN scan). It is probably used to collect version > information from the server. I believe it is NOT scanssh since scanssh > does send a version string. > > Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from 209.26.178.170. > > It looks like a custom tool looking for vulnerable sshd versions. > Has anyone encountered something similiar? It looks like a synscan variant. synscan's C source code is designed so that it's easy to take the general framework (SF scan of an IP range, followed by a fork() that does a regular connect to the port) and plug in custom strings to look for in the connect message. The pattern I've seen before (the ramen worm worked this way) was that synscan would write vulnerable IP addresses to a file, and then some separate exploit program would then be run against each IP in that file. (The ramen worm had a driver script that ran a loop with "tail -f" on the output file so that it could attempt to break into machines while synscan was still scanning) Telltale signs of a synscan variant: - SYN+FIN scan followed by an almost immediate regular SYN to open hosts. (Doesn't this rather defeat the point of running a SYN+FIN scan in the first place? Isn't it the point of a SYN+FIN scan to avoid being detected by those hosts that aren't running a firewall but do log regular connections to open ports?) - IP id 39426 (This is what you get when your source code says ip->id = 666; and you compile on a little-endian machine, like intel-based linux boxes) on the SYN+FIN scan - Source port == Destination port (again, on the SYN+FIN scan - the synscan program uses this to distinguish FIN responses from open scanned machines from other unrelated incoming FIN packets) So as for the tool used, it's synscan; however, this doesn't tell you which ssh versions they were looking for nor which tool they would run against your machines had they found a vulnerable box. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 10:20:21 PDT