Security Incidents mailing list archives

Steady increase in ssh scans

From: "TCG CSIRT" <csirt () terradon com>
Date: Mon, 11 Feb 2002 11:35:40 -0500

Some simple trending....

sshd syn connections from portscan logging on a single gateway for:
Nov:  484
Dec: 1145
Jan: 1753

February is on track to recieve over 2000 at the current rate on this particular gateway.

This shows a sharp increase in ssh portscans.  This also raises the following questions:

Is this a normal increase considering the vulnerabilities made public late last year?
Is anyone (everyone) else seeing the same type of activity?
Has anyone seen evidence of a worm?

Here's my concern.  With worms like nimda, lion, and others, sniffing is a major factor in analyzing the worm's 
propogation and exploitatoin methods.  An ssh based worm could take sniffing out of the picture (the attack is over an 
encrypted service) and reduce forensic analysis to artifact examination.

Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities?  Has anyone seen identical 
(or very similar) artifacts left behind on multiple compromised hosts?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)