> Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities? Has anyone seen > identical (or very similar) artifacts left behind on multiple compromised hosts? So far this year, I have done two investigations of intrusions that utilized sshd vulnerabilities in odrer to beak in. The post compromise activity (rootkits used, backdoors installed, attacks to other systems) were significantly completely different. The one common thing I found was that both intruders left behind trojaned or disguised ssh backdoors, but I suspect that that is just part of a new trend of using encrypted channels. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skipat_private 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 16:31:20 PST