[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] SSH



John Lucas wrote:
Port scanning is the examination of remote systems for available services and is a usual preliminary used by "crackers" to exploit a vulnerable service for break-in. In this case it probably means that tcp port 22 on *many* remote systems were being probed to see if the service is accessable. Next step would be to determine the version of the service and what platform it is on to see if it can be exploited. As an example a simple "telnet somehost 22" might return: "SSH-1.99-OpenSSH_3.5p1". There could be automated tools that discover vulnerable systems and also automates the exploit (one does not have to be clever).

AFAIK there is no current exploit on recent SSH services, so one would have to be looking for really old versions.

There is a lot of brute force password guessing going on, though, so there are probably automated scripts and perhaps trojans of some sort doing it. If you have port 22 open inbound, you'll probably see a lot of login attempts with user names that don't exist and/or bad passwords.

If you have a port that can monitor all outbound connections you can:
tcpdump port 22
and watch for one internal address trying to connect to a lot of different destinations. If you've connected to the monitor host via ssh yourself, make that:
tcpdump port 22 and not host my_ip_address
to keep your own traffic from cluttering what you see.

--
  Les Mikesell
   les futuresource com



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]