Security Incidents mailing list archives

Re: Steady increase in ssh scans

From: Skip Carter <skip () taygeta com>
Date: Mon, 11 Feb 2002 14:38:35 -0800

Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities?  Has anyone seen
identical (or very similar) artifacts left behind on multiple compromised hosts?


        So far this year, I have done two investigations of intrusions that utilized 
sshd vulnerabilities
in odrer to beak in.  The post compromise activity (rootkits used, backdoors 
installed, attacks to other
systems) were significantly completely different.  The one common thing I 
found was that both intruders left
behind trojaned or disguised ssh backdoors, but I suspect that that is just 
part of a new trend of using
encrypted channels.
 

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)