this is a heads up to the incidents people (and related @cert and @sans) to let you know i have released some modifications i made to niels provos' scanssh tool. i made the modifications last fall against version 1.2a of his scanssh code. the changes add scanning for telnetd and rshd, in addition to sshd, to assist network administrators and authorized personelle to more fully audit their login methods on their networks. the biggest change i want people here to know about is the ssh version string change: SSH-1.1-SSH_Telnet_RSH_Version_Mapper if you see this its a clear indication that this modified tool has been used. it only looks for a valid connection, sends this string, and then closes the connection. no other data is exchanged, nothing is logged aside from the true or false for a connection for that IP. thanks. ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 08:43:42 PDT