[Snort-sigs] Bluesocket remote admin signature

Jon Hart warchild at ...288...
Mon Sep 15 09:58:02 EDT 2003


Thought people here might find this interesting.  

Bluesocket (http://www.bluesocket.com) seems to ship their wireless
gateways with a handy SSH server listening on port 2335.  In my dealings
with Bluesocket (warning them about old + exploitable SSH and Apache
servers shipping on the 1.x revision of their boxes), it seems that this
port is reserved for remote administration of the boxes by Bluesocket
admins, and supposedly the password is hardcoded, the same on every box,
and only known to certain Bluesocket support technicians.  Feel free to
speculate on your own about what security implications this brings along
with it.  This "feature" ships on by default.

Feel free to use the rule below to catch people connecting to this port
and, potentially, remotely administering your wireless gateway for you.

	alert tcp $HOME_NET 2335 -> $EXTERNAL_NET any (msg:"Bluesocket remote
	admin connection"; flow:from_server,established; content:"SSH-";
	depth:4; dsize:<50; classtype:attempted-admin; sid:100004;
	reference:url,www.bluesocket.com;)


And yes, this is just a quick hack to the sig I posted some time back
here:

http://marc.theaimsgroup.com/?l=snort-sigs&m=104485074219764&w=2

For what its worth, although both of these sigs are not perfect, I've
had no false positives with either of them.  

As a related note, I have seen people actively connecting to this port
on Bluesocket gateways.  Bluesocket had no explanation.

Have fun,

-jon






More information about the Snort-sigs mailing list