Hello and welcome to the Tuesday, May 19th,

2006 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich,

recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in

cybersecurity leadership. Let's start out today with today's diary, and that comes again from

one of our Sands undercredit interns. Gokul Prima Tanga Tanga well wrote this particular diary about, well, the ever-present SSH bots.

Bots that are brute-forcing usernames and passwords for SSH,

and then they often install modified authorized keys files,

which, of course, then act as a backdoor for the attacker.

Now, the one thing that Gokul here is looking at

is a very well-established chain of these S-H-Bots

that always is leaving behind the same authorized keys files.

That's sort of one of the indicators of compromise here.

But Gokul dot some subtle, well, modification to the binary being used to do the scanning in that it updated to a new LibSH.

LibSH is the base library that implements SSH, and then we also have these hash values.

Now, hash is written here with two S's, basically H-A-S-S-H, which basically identifies the

S-H connection details, and with that often identifies the matter.

But that now changed with the switch to the new lip SSH.

And, well, what this really means is don't be too specific on your indicators of compromise.

If you're seeing a lot of outbound asage connection,

there is a good chance that you have a system in your network

...