ssh from SRC port 22 to DST port 22??
Hey guys, im new here and this is my first post. Ive got a question about Secure Shell.
Today at work snort allerted us to the following
-- snort snort --
[**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
[**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
a couple of things to note here.
1. this appears to be a linux box, even though the Time to Live is set at 20. A quick
traceroute 211.172.121.210 shows the host lies 20 hops away from me. point - TTL is forged
2. the SYN | FYN flags are set. I understand the SNY flag being set to initiate a TCP connection, but to include the FYN flag as well, this is not normal ssh behaviour. point - packets are crafted by some tool / possible exploit
3. does anyone know any possible ssh exploits or worms in the wild that use port 22 for the source port, that sets the SYN | FYN flag and that forges TTL values?
perhaps im way off, but this type of traffic does not seem normal to me, looks like
i may have been in the range of some worm or script kiddie scaning domains looking for
vulnerable unpatched OpenBSD or whatever boxes.
anyway hello to everyone, hope we all can be good friends.
Helo from canada
Re: ssh from SRC port 22 to DST port 22??
Quote:
Originally posted here by slackwarelinux
Hey guys, im new here and this is my first post. Ive got a question about Secure Shell.
Today at work snort allerted us to the following
-- snort snort --
[**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
[**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+
a couple of things to note here.
1. this appears to be a linux box, even though the Time to Live is set at 20. A quick
traceroute 211.172.121.210 shows the host lies 20 hops away from me. point - TTL is forged
It could have just been set artificially high, no? In any case, I'd be less concerned with that for now...
<edit>
BTW, are these logs sanitized? Or are you doing reverse NAT? You shouldn't be able to hit 192.168.0.0/16 from an outside address. So, if this is real and you're not doing reverse NAT (good bet you are, though, protecting things by a firewall and relaying things "in" to the network), then this is an insider.
</edit>
Quote:
2. the SYN | FYN flags are set. I understand the SNY flag being set to initiate a TCP connection, but to include the FYN flag as well, this is not normal ssh behaviour. point - packets are crafted by some tool / possible exploit
3. does anyone know any possible ssh exploits or worms in the wild that use port 22 for the source port, that sets the SYN | FYN flag and that forges TTL values?
perhaps im way off, but this type of traffic does not seem normal to me, looks like
i may have been in the range of some worm or script kiddie scaning domains looking for
vulnerable unpatched OpenBSD or whatever boxes.
anyway hello to everyone, hope we all can be good friends.
Helo from canada
Well, it certainly doesn't look like "normal" traffic... the low-port to low-port is probably in an effort to evade any screens on a packet (doesn't things like root scp use port 22 to port 22 or similiar for its connection? or sftp or similiar? To be honest, I've not looked at the traffic pattern(s) on ssh much as it's typically wide open on permiter boxes anyway - though I almost always move the port to something else, I rarely filter on source port for SSH.)
And the SYN-FIN scan, I /think/ is referring to the type of scan... basically the machine is tearing down the connection as soon as it's started, as the ACK is never sent. This might imply that someone's spoofing the scan from a machine mid-way between the boxes where they can snoop the traffic going by and implicate the other machine - if they see the SYN-ACK from your box, they know the port's open and the FIN coming back is just nicely clearing the SYN table for you on your box (else you might see a SYN-flood warning in-addition, or your box might stop responding for a bit if it were suitably old to suffer from such issues).
I, personally, know of no worms/scans in the wild that would use some such technique - though it could easily be a home crafted one. I'd make sure that your versions of SSH are current, particularly if you use OpenSSH. I'd also consider moving any SSH ports that are open to the internet to something "uncommon" or that would be missed in a "common port scan" like those typically done with something like nmap.
I'd also go check your syslogs for attempts on SSH from other machines now, too.
Hope this late night/early morning rambling helps. Feel free to PM me if you want more info, etc, when I'm more awake.
