Security Incidents mailing list archives
Re: Steady increase in ssh scans
From: Thomas Themel <thomas.themel () cpointc com>
Date: Tue, 12 Feb 2002 15:15:13 +0100
Hi, [Moderator: Sorry for mailing this to vuln-dev this morning...] Adam Manock (abmanock () earthlink net) wrote:
The encrypted activities of a hypothetical SSH worm could be logged using a honeypot and a network sniffing logger, one that just so happens to have the honeypot's private SSH key. SSHmitm of the dsniff toolkit might provide
Actually, in case of a worm the simplest solution might be to keep an strace of the sshd running, it is quite trivial to restore the unencrypted session contents from there. A worm is unlikely to find out/care that it is being traced. ciao, -- Thomas Themel | CenterPoint Connective Software Engineering GmbH Hauptplatz 8/4 | System Administrator / Software Developer 9500 Villach | <http://www.cpointc.com/> +43 676 846623-13| work thomas.themel () cpointc com play thomas () themel com
Attachment:
_bin
Description:
Current thread:
- Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
- Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
- Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
- Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)