Security Incidents mailing list archives

Re: Steady increase in ssh scans

From: "Stuart Thomas" <stuart_thomas () hotmail com>
Date: Mon, 11 Feb 2002 20:52:44 -0000

I agree with Lee, the pre-amble to a buffer-overflow, say CRC32 attack for
ssh1, could
have a repeating pattern (maybe except for the return address repointing)
[different
memory size/operating systems]), which could give the possibility of an ids
rule capture.

Granted, any traffic post-compromise "might" be encrypted, between other
compromised hosts,
or more importantly "in-my-opinion" for administration by the attacker or
scripts managed by
the attacker. This could asssist in finding out more information about the
source of the attacker,
especially as you would have "their" source ip address. Don't forget, you
could have various other
give-away information in your IDS capture, such IP stack identification
(through tcp/icmp etc).

Another thought, the size of ssh the packets leaving the compromised host
would be measurable
too, as the worm/trojan/virus attempts to propergate itself, using the same
code, recognisable pattern.
(although random size packet padding might be an arse.)

Stu










----- Original Message -----
From: "Adam Manock" <abmanock () earthlink net>
To: <incidents () securityfocus com>
Sent: Monday, February 11, 2002 7:39 PM
Subject: Re: Steady increase in ssh scans

Here's my concern.  With worms like nimda, lion, and others, sniffing is

major factor in analyzing the worm's propogation and exploitatoin
methods.  An ssh based worm could take sniffing out of the picture (the
attack is over an encrypted service) and reduce forensic analysis to
artifact examination.


Looks like we may need some honeypots...

The encrypted activities of a hypothetical SSH worm could be logged using

honeypot and a network sniffing logger, one that just so happens to have
the honeypot's private SSH key. SSHmitm of the dsniff toolkit might

provide

a good place to start with how to decrypt and log a sniffed SSH

connection.

An alternative approach would be a deliberately man in the middle proxy a
SSH honeypot and make the proxy also "look" vulnerable to the worm. The
proxy would do then be able to cleartext log all of the worm generated
traffic, encrypted or not.

Adam


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)