Security Incidents mailing list archives

Re: Steady increase in ssh scans

From: Thomas Themel <thomas.themel () cpointc com>
Date: Tue, 12 Feb 2002 15:15:13 +0100

Hi,
[Moderator: Sorry for mailing this to vuln-dev this morning...]
Adam Manock (abmanock () earthlink net) wrote:

The encrypted activities of a hypothetical SSH worm could be logged using a 
honeypot and a network sniffing logger, one that just so happens to have 
the honeypot's private SSH key. SSHmitm of the dsniff toolkit might provide


Actually, in case of a worm the simplest solution might be to keep an
strace of the sshd running, it is quite trivial to restore the
unencrypted session contents from there. A worm is unlikely to find
out/care that it is being traced.

ciao,
-- 
Thomas Themel    | CenterPoint Connective Software Engineering GmbH 
Hauptplatz 8/4   |    System Administrator / Software Developer 
9500 Villach     |            <http://www.cpointc.com/> 
+43 676 846623-13| work thomas.themel () cpointc com play thomas () themel com

Attachment: _bin
Description:

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)