> Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities? Has anyone seen
> identical (or very similar) artifacts left behind on multiple compromised hosts?

        So far this year, I have done two investigations of intrusions that utilized
sshd vulnerabilities
in odrer to beak in. The post compromise activity (rootkits used, backdoors
installed, attacks to other
systems) were significantly completely different. The one common thing I
found was that both intruders left
behind trojaned or disguised ssh backdoors, but I suspect that that is just
part of a new trend of using
encrypted channels.
 

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skiptaygeta.com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]