RE: Steady increase in ssh scans

[Lee Brotherston <lee.brotherston () uk easynet net>]

| Here's my concern.  With worms like nimda, lion, and others, 
| sniffing is a major factor in analyzing the worm's 
| propogation and exploitatoin methods.  An ssh based worm 
| could take sniffing out of the picture (the attack is over an 
| encrypted service) and reduce forensic analysis to artifact 
| examination.

I might be wrong, but the way I understood it, the exploits that surround
various sshds all take place before an encrypted tunnel is setup.  So you
can still sniff the network for evidence of the exploit taking place.  What
you may not be able to do however is track what it does next if the next
phase takes place over encrypted channels.

In the case of a worm you may find that it exploits the daemon only to run
some arbitrary code, and does not do a great deal over an ssh tunnel.  If
this was the case then you would probably see strange behaviour from an
infected machine, for example it would most likely start scanning other
machines and trying to overflow their sshd's, again you could pickup this
activity.

The time at which you might not be able to track it, is if after
exploitation it uses another means to spread between machines using
encrypted channels, or it trojans some part of the system, like say the ssh
client :/

</RANDOM THINKING>

  Lee

-- 
Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com