Security Incidents mailing list archives

RE: Steady increase in ssh scans

From: Etienne Joubert <etienne () citec net>
Date: Tue, 12 Feb 2002 09:03:09 +0200

On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote:

Has anyone seen evidence of a worm?

no, but then we have not had any compromises.  I have seen no random

probing

that is favoured by most worms.  I do believe that there are worms out

there

that exploit BIND problems,  I regularly see random probes on udp 53.


I left one of our machines open, it got comprimised and was running vuln
checks and
attempts on addresses specified in a txt file. A lot of binaries were
replaced except for `find`.

From this I could work my way through the cleanup process and see everything

was going on..
Not surprizing there was a backdoor shell through which the silent intruder
started the daemons to scan/attack
other addresses.

I'm sure it's easy enough for them to simply automate this process and bam,
you got a worm.
PS: Our log counters are sitting at just over 4000 since 1 Feb.

regards,
EJ
CiTEC.NET

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)