Incident: 02-23-02 09:18am

tcp:22 ssh

A *lot* of stuff is happening on tcp:22 ssh these days:

See: http://www.cert.org/advisories/CA-2001-35.html

"There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break, for exposure to each of these vulnerabilities. The CERT/CC is still seeing active scanning and exploitation of vulnerabilities related to SSH."


snort2html.plx:

Feb 23 09:18:06 - snort [1:0:0] TCP to 22 ssh 
  Source IP: 194.143.41.132   Source port: 22 
Source host: 194.143.41.132
  Target IP: 12.82.132.108   Target port: 22   Proto: TCP 
Target host: 108.seattle-11-12rs.wa.dial-access.att.net

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

snort:

02/23-09:18:06.568113 194.143.41.132:22 -> 12.82.132.108:22
TCP TTL:118 TOS:0x0 ID:40935 IpLen:20 DgmLen:40
******S* Seq: 0x3B05B5DD  Ack: 0x5185E29A  Win: 0xA7FB  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

ipchains:

Feb 23 09:18:06 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 194.143.41.132:22 12.82.132.108:22
 L=40 S=0x00 I=40935 F=0x0000 T=118 SYN (#64)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

p0f:

Sat Feb 23 09:18:06 2002 194.143.41.132: UNKNOWN [43003:118:0:0:-1:0:0:40].
 194.143.41.132:22 -> 12.82.132.108:22

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

host:

[toot@sparky /storage/snort/old_snorts/022302]# host 194.143.41.132
Host 132.41.143.194.in-addr.arpa. not found: 3(NXDOMAIN)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

whois:

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 194.143.41.132
connecting to whois.arin.net [63.146.182.182:43] ...
connecting to whois.ripe.net [193.0.0.135:43] ...

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html 

inetnum:      194.143.41.128 - 194.143.41.159
netname:      NO-LEIF-HOEGH-CO-NET
descr:        Leif Hoegh & Co
country:      NO
admin-c:      TM74-RIPE
tech-c:       TM74-RIPE
source:       RIPE 

route:        194.143.0.0/17
descr:        Nextra, Postboks 393 - Skoyen, N-0212 Oslo, Norway
origin:       AS2119
source:       RIPE 

person:       Tore Mioen
address:      Leif Hoegh & Co AS
address:      Wergelandsveien 1
address:      Postboks 2596, Solli
address:      N-0203 Oslo
address:      Norway
phone:        +47 22 86 99 10
fax-no:       +47 22 86 99 03
e-mail:       edb@hoegh.no
nic-hdl:      TM74-RIPE
source:       RIPE


jsage@finchhaven.com
Last modified: Sun Feb 24 13:18:09 2002