Some simple trending.... sshd syn connections from portscan logging on a single gateway for: Nov: 484 Dec: 1145 Jan: 1753 February is on track to recieve over 2000 at the current rate on this particular gateway. This shows a sharp increase in ssh portscans. This also raises the following questions: Is this a normal increase considering the vulnerabilities made public late last year? Is anyone (everyone) else seeing the same type of activity? Has anyone seen evidence of a worm? Here's my concern. With worms like nimda, lion, and others, sniffing is a major factor in analyzing the worm's propogation and exploitatoin methods. An ssh based worm could take sniffing out of the picture (the attack is over an encrypted service) and reduce forensic analysis to artifact examination. Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities? Has anyone seen identical (or very similar) artifacts left behind on multiple compromised hosts? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 08:53:20 PST