Incident: 02-24-02 13:40pm

tcp:22 ssh

A *lot* of stuff is happening on tcp:22 ssh these days:

See: http://www.cert.org/advisories/CA-2001-35.html

"There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break, for exposure to each of these vulnerabilities. The CERT/CC is still seeing active scanning and exploitation of vulnerabilities related to SSH."


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
snort:
Feb 24 13:40:22 greatwall snort: [1:0:0] TCP to 22 ssh {TCP}
 203.75.48.129:1285 -> 12.82.137.151:22
Feb 24 13:40:25 greatwall snort: [1:0:0] TCP to 22 ssh {TCP}
 203.75.48.129:1285 -> 12.82.137.151:22

ipchains:
Feb 24 13:40:22 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 203.75.48.129:1285 12.82.137.151:22
 L=60 S=0x00 I=28128 F=0x4000 T=51 SYN (#64)
Feb 24 13:40:25 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 203.75.48.129:1285 12.82.137.151:22
 L=60 S=0x00 I=29411 F=0x4000 T=51 SYN (#64)

p0f:
Sun Feb 24 13:40:22 2002 203.75.48.129 [14 hops]: Linux 2.2.9 - 2.2.18
  203.75.48.129:1285 -> 12.82.137.151:22 (timestamp: 47424825 @1014586822)
Sun Feb 24 13:40:25 2002 203.75.48.129 [14 hops]: Linux 2.2.9 - 2.2.18
  203.75.48.129:1285 -> 12.82.137.151:22 (timestamp: 47425125 @1014586825)


snort packet capture:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-13:40:22.835794 203.75.48.129:1285 -> 12.82.137.151:22
TCP TTL:51 TOS:0x0 ID:28128 IpLen:20 DgmLen:60 DF
******S* Seq: 0x507E087E  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 47424825 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-13:40:25.826090 203.75.48.129:1285 -> 12.82.137.151:22
TCP TTL:51 TOS:0x0 ID:29411 IpLen:20 DgmLen:60 DF
******S* Seq: 0x507E087E  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 47425125 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 203.75.48.129
connecting to whois.arin.net [192.149.252.22:43] ...
connecting to WHOIS.APNIC.NET [202.12.29.13:43] ... 

% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois5.apnic.net) 

inetnum:     203.75.0.0 - 203.75.255.255
netname:     HINET-TW
descr:       CHTD, Chunghwa Telecom Co.,Ltd.
descr:       Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr:       Taipei Taiwan 100
country:     TW
admin-c:     HN27-AP
tech-c:      HN28-AP
remarks:     This information has been partially mirrored by APNIC from
remarks:     TWNIC. To obtain more specific information, please use the
remarks:     TWNIC whois server at whois.twnic.net.
source:      APNIC 

inetnum:     203.75.48.0 - 203.75.48.255
netname:     MRBO-NET
descr:       Dashing Information Co.,
descr:       1F,No. 7 Lane 47, Hwa-Kang Road
descr:       Taipei Taiwan
country:     TW
admin-c:     QIL-TW
tech-c:      QIL-TW
remarks:     This information has been partially mirrored by APNIC from
remarks:     TWNIC. To obtain more specific information, please use the
remarks:     TWNIC whois server at whois.twnic.net.
source:      TWNIC 

person:      Quen I Lin
address:     Dashing Information Co.,
address:     1F,No. 7 Lane 47, Hwa-Kang Road
address:     Taipei Taiwan
country:     TW
phone:       +886-2-2861-4384
fax-no:      +886-2-2861-9706
e-mail:      mrbo@mail.mrbo.com.tw
nic-hdl:     QIL-TW
source:      TWNIC


jsage@finchhaven.com
Last modified: Sun Feb 24 17:53:39 2002