Re: Steady increase in ssh scans

From: Dave Dittrich (dittrichat_private)
Date: Mon Feb 11 2002 - 17:57:53 PST

Next message: Thomas Themel: "Re: Steady increase in ssh scans"

Previous message: Etienne Joubert: "RE: Steady increase in ssh scans"
In reply to: Russell Fulton: "Re: Steady increase in ssh scans"
Next in thread: Skip Carter: "Re: Steady increase in ssh scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote:
> >
> > Is this a normal increase considering the vulnerabilities made
> > public late last year?
>
> I don't think that there is a 'normal' curve for this type of
> activity.  I strongly suspect that kiddie behaviour is more a result
> of fashion than rational thinking.  SSH is mearly C00l now!

I would agree with Russell.  Since several SSH exploits are now
in wide circulation, they are making their way into every rootkit and
autorooter out there (and there are many).  The increase in scanning
seems to fit typical recon/exploit cycles, with or without automation
of the exploit portion.

> > Is anyone (everyone) else seeing the same type of activity?
>
> I have not done the stats but my impression is that my figures would
> mirror yours.  I am now seeing about 1-2 port 22 scans a day in each
> network block I monitor.

I'm also seeing scanning, with lots of syslog messages like the
following:

Feb  7 15:56:24 XXXXX sshd[19622]: Did not receive ident string from
::ffff:XX.XXX.227.164.

> > Has anyone seen evidence of a worm?
>
> no, but then we have not had any compromises.  I have seen no random
> probing that is favoured by most worms.  I do believe that there are
> worms out there that exploit BIND problems,  I regularly see random
> probes on udp 53.

I've seen two or three "autorooter" kits using SSH exploits, which
combine scanning, exploitation, log cleaning, and trojaning, all in
one kit.  These exploits are not well suited to worms, since they are
so noisy (>1MB of traffic per exploit), but I'm sure someone will
eventually try to build one anyway.

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Thomas Themel: "Re: Steady increase in ssh scans"
Previous message: Etienne Joubert: "RE: Steady increase in ssh scans"
In reply to: Russell Fulton: "Re: Steady increase in ssh scans"
Next in thread: Skip Carter: "Re: Steady increase in ssh scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:05:34 PST