OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Dittrich (dittrichcac.washington.edu)
Date: Mon Feb 11 2002 - 19:57:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote:
    > >
    > > Is this a normal increase considering the vulnerabilities made
    > > public late last year?
    >
    > I don't think that there is a 'normal' curve for this type of
    > activity. I strongly suspect that kiddie behaviour is more a result
    > of fashion than rational thinking. SSH is mearly C00l now!

    I would agree with Russell. Since several SSH exploits are now
    in wide circulation, they are making their way into every rootkit and
    autorooter out there (and there are many). The increase in scanning
    seems to fit typical recon/exploit cycles, with or without automation
    of the exploit portion.

    > > Is anyone (everyone) else seeing the same type of activity?
    >
    > I have not done the stats but my impression is that my figures would
    > mirror yours. I am now seeing about 1-2 port 22 scans a day in each
    > network block I monitor.

    I'm also seeing scanning, with lots of syslog messages like the
    following:

    Feb 7 15:56:24 XXXXX sshd[19622]: Did not receive ident string from
    ::ffff:XX.XXX.227.164.

    > > Has anyone seen evidence of a worm?
    >
    > no, but then we have not had any compromises. I have seen no random
    > probing that is favoured by most worms. I do believe that there are
    > worms out there that exploit BIND problems, I regularly see random
    > probes on udp 53.

    I've seen two or three "autorooter" kits using SSH exploits, which
    combine scanning, exploitation, log cleaning, and trojaning, all in
    one kit. These exploits are not well suited to worms, since they are
    so noisy (>1MB of traffic per exploit), but I'm sure someone will
    eventually try to build one anyway. 

    --
Dave Dittrich                           Computing & Communications
dittrichcac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

    PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com