> On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote: > > > > Is this a normal increase considering the vulnerabilities made > > public late last year? > > I don't think that there is a 'normal' curve for this type of > activity. I strongly suspect that kiddie behaviour is more a result > of fashion than rational thinking. SSH is mearly C00l now! I would agree with Russell. Since several SSH exploits are now in wide circulation, they are making their way into every rootkit and autorooter out there (and there are many). The increase in scanning seems to fit typical recon/exploit cycles, with or without automation of the exploit portion. > > Is anyone (everyone) else seeing the same type of activity? > > I have not done the stats but my impression is that my figures would > mirror yours. I am now seeing about 1-2 port 22 scans a day in each > network block I monitor. I'm also seeing scanning, with lots of syslog messages like the following: Feb 7 15:56:24 XXXXX sshd[19622]: Did not receive ident string from ::ffff:XX.XXX.227.164. > > Has anyone seen evidence of a worm? > > no, but then we have not had any compromises. I have seen no random > probing that is favoured by most worms. I do believe that there are > worms out there that exploit BIND problems, I regularly see random > probes on udp 53. I've seen two or three "autorooter" kits using SSH exploits, which combine scanning, exploitation, log cleaning, and trojaning, all in one kit. These exploits are not well suited to worms, since they are so noisy (>1MB of traffic per exploit), but I'm sure someone will eventually try to build one anyway. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:05:34 PST