Re: Steady increase in ssh scans

From: Thomas Themel (thomas.themelat_private)
Date: Tue Feb 12 2002 - 02:08:24 PST

Next message: nestlerat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"

Previous message: obscure: "Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Next in thread: KF: "Re: Steady increase in ssh scans"
Reply: KF: "Re: Steady increase in ssh scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
Adam Manock (abmanockat_private) wrote:
> The encrypted activities of a hypothetical SSH worm could be logged using a 
> honeypot and a network sniffing logger, one that just so happens to have 
> the honeypot's private SSH key. SSHmitm of the dsniff toolkit might provide 

Actually, in case of a worm the simplest solution might be to keep an
strace of the sshd running, it is quite trivial to restore the
unencrypted session contents from there. A worm is unlikely to find
out/care that it is being traced.

ciao,
-- 
Thomas Themel    | CenterPoint Connective Software Engineering GmbH 
Hauptplatz 8/4   |    System Administrator / Software Developer 
9500 Villach     |            <http://www.cpointc.com/> 
+43 676 846623-13| work thomas.themelat_private play thomasat_private

application/pgp-signature attachment: stored

Next message: nestlerat_private: "Re: Infecting the KaZaA network? (moving here thread from 'traq)"
Previous message: obscure: "Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Next in thread: KF: "Re: Steady increase in ssh scans"
Reply: KF: "Re: Steady increase in ssh scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:12:46 PST