6. Which instances of the SSH servers from question 5 were run?

It might be that the attacker run different versions on different ports at different times.
Anyway, the instances of ssh that we described in the previous answer were running:

 PID  Proc.Name  Name of service that normally uses that port  Port  Proto
 25239  xopen    3049  UDP
 25241  xopen  squid-proxy  3128   TCP
 3137  smbd -D  http  80  TCP
 3137  smbd -D  https  443  TCP
 3137  smbd -D  cfinger  2003  TCP
 669  sshd  ssh  22  TCP

 

 Previous  To answer N.7 --> Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected?  Home