|
Security Incidents
mailing list archives
Steady increase in ssh scans
From: "TCG CSIRT" <csirt () terradon com>
Date: Mon, 11 Feb 2002 11:35:40 -0500
Some simple trending....
sshd syn connections from portscan logging on a single gateway for:
Nov: 484
Dec: 1145
Jan: 1753
February is on track to recieve over 2000 at the current rate on this particular gateway.
This shows a sharp increase in ssh portscans. This also raises the following questions:
Is this a normal increase considering the vulnerabilities made public late last year?
Is anyone (everyone) else seeing the same type of activity?
Has anyone seen evidence of a worm?
Here's my concern. With worms like nimda, lion, and others, sniffing is a major factor in analyzing the worm's
propogation and exploitatoin methods. An ssh based worm could take sniffing out of the picture (the attack is over an
encrypted service) and reduce forensic analysis to artifact examination.
Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities? Has anyone seen identical
(or very similar) artifacts left behind on multiple compromised hosts?
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- Steady increase in ssh scans TCG CSIRT (Feb 11)
|
Intro
