Security Incidents mailing list archives
Re: Steady increase in ssh scans
From: Skip Carter <skip () taygeta com>
Date: Mon, 11 Feb 2002 14:38:35 -0800
Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities? Has anyone seen identical (or very similar) artifacts left behind on multiple compromised hosts?
So far this year, I have done two investigations of intrusions that utilized sshd vulnerabilities in odrer to beak in. The post compromise activity (rootkits used, backdoors installed, attacks to other systems) were significantly completely different. The one common thing I found was that both intruders left behind trojaned or disguised ssh backdoors, but I suspect that that is just part of a new trend of using encrypted channels. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
- Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
- Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
- Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)