Security Incidents mailing list archives
Re: Steady increase in ssh scans
From: Adam Manock <abmanock () earthlink net>
Date: Mon, 11 Feb 2002 14:39:43 -0500
Here's my concern. With worms like nimda, lion, and others, sniffing is a major factor in analyzing the worm's propogation and exploitatoin methods. An ssh based worm could take sniffing out of the picture (the attack is over an encrypted service) and reduce forensic analysis to artifact examination.
Looks like we may need some honeypots...The encrypted activities of a hypothetical SSH worm could be logged using a honeypot and a network sniffing logger, one that just so happens to have the honeypot's private SSH key. SSHmitm of the dsniff toolkit might provide a good place to start with how to decrypt and log a sniffed SSH connection. An alternative approach would be a deliberately man in the middle proxy a SSH honeypot and make the proxy also "look" vulnerable to the worm. The proxy would do then be able to cleartext log all of the worm generated traffic, encrypted or not.
Adam ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
- Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
- Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
- Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)