ssh from SOURCE PORT 22 to dest port 22?
Results 1 to 4 of 4

Thread: ssh from SOURCE PORT 22 to dest port 22?

  1. #1

    ssh from SOURCE PORT 22 to dest port 22?

    Hey guys, im new here and this is my first post. Ive got a question about Secure Shell.
    Today at work snort allerted us to the following

    -- snort snort --

    [**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
    07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
    TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
    ******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    [**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
    07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
    TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
    ******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    a couple of things to note here.

    1. this appears to be a linux box, even though the Time to Live is set at 20. A quick
    traceroute 211.172.121.210 shows the host lies 20 hops away from me. point - TTL is forged

    2. the SYN | FYN flags are set. I understand the SNY flag being set to initiate a TCP connection, but to include the FYN flag as well, this is not normal ssh behaviour. point - packets are crafted by some tool / possible exploit

    does anyone know any possible ssh exploits or worms in the wild that use port 22 for the source port, that sets the SYN | FYN flag and that forges TTL values?

    perhaps im way off, but this type of traffic does not seem normal to me, looks like
    i may have been in the range of some worm or script kiddie scaning domains looking for
    vulnerable unpatched OpenBSD or whatever boxes.

    anyway hello to everyone, hope we all can be good friends.

    Helo from canada


    bye

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    I agree that this was most likely some kind of automated tool, however you can't assume that because the TTL is 20 that it is not a valid TTL value, because you don't know what the original TTL was...Also, you can't assume that just becase a traceroute shows that the originating host is 20 hops away that it will always be 20 hops away. Internet routing protocols (such as BGP) will dynamically route packets based on a series of metrics. Unlike link state routing protocols (RIP) BGP usually does not care about the number of hops. It is more concerned about the most efficient path. And just because a path is the most efficient one minute doesn't mean it will be the next (caused by several factors such as congested links or down/flapping routes).

    But like I said to start, you are pretty safe to assume that this is not valid traffic. I also find it interesting that a 211.172.121.210 address is attempting to get to your 192.168.x.x address. I am curious to know where your IDS sensor is located. If it is outside your firewall, there is a definate problem because Internet routes will not route to a private IP range. If it is inside your firewall, it is still interesting because you should be blocking TCP-22 at your firewall in which case you wouldn't see it on your IDS sensor, unless of course 22 was left open intentionally, but that is generally not good practice. If you need a port open such as SSH, create your FW rules to only accept it from a specified source.

    Any more questions...please ask

    iNViCTuS

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ok, I just had the wierdest case of deja vu...wasn't there a post just like this a couple of weeks ago ? I thought I remember responding to something like this and suggesting a acl addition banning comm between well known src/dst ports and then getting into a discussion about whether it would break DNS...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    actually the ip address of my machine have been sanitized, perhaps to avoid confusion next time
    i'll just xxx.xxx.xxx.xxx instead

    you asked about the placement of my IDS, well its stitting on our firewall, the the box doubles
    as firewall and IDS.

    you also mentioned firewall rulesets also. I didnt really think it mattered but yes I have rulesets
    in place blocking incoming ssh traffic from everyone except the authorized hosts.

    here is the complete alert complete with firewall acl violation

    -- snip snip


    Jul 14 21:09:14 securelinux kernel: Packet log: input DENY eth0 PROTO=6 211.172.121.210:22 xxx.xxx.xxx.xxx:22 L=40 S=0x00 I=39426 F=0x0000 T=20 SYN (#23)
    Jul 14 21:09:14 securelinux snort[177]: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection {TCP} 211.172.121.210:22 -> xxx.xxx.xxx.xxx:22
    Jul 14 21:09:14 securelinux snort[177]: spp_portscan: PORTSCAN DETECTED to port 22 from 211.172.121.210 (STEALTH)
    Jul 14 21:09:14 securelinux snort[5645]: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection {TCP} 211.172.121.210:22 -> xxx.xxx.xxx.xxx:22
    Jul 14 21:09:14 securelinux snort[5645]: spp_portscan: PORTSCAN DETECTED to port 22 from 211.172.121.210 (STEALTH)

    thanks for your reply about TTL values, i'll head back to the classroom and read up
    a little on TTL.

    appreciate :>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides