Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: slowish ssh scan from 149.69.85.65

From: Glenn Forbes Fleming Larratt <glratt () io com>
Date: Wed, 5 Dec 2001 11:52:35 -0600 (CST)
On Wed, 5 Dec 2001, Russell Fulton wrote:


Greetings All,

starting on 4th Dec 2001 at 19:47 (UTC) we saw an unusual scan from
149.69.85.65 (owned by St. John Fisher College (NET-PSINET-B-69)) who
have been notified -- no response yet.

times are UTC:

Here are argus logs from the start of the scan:

04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->    130.216.246.76.22    S_


Us, too (i.e. noted and blocked) (timestamps in CST [6hr west of UTC]):

[4 Dec ...]
18:49:26.223817 149.69.85.65.20 > MY.NET.10.38.22: S 2168502234:2168502234(0) win 16383 (DF)
18:49:26.224625 149.69.85.65.20 > MY.NET.46.172.22: S 1105269703:1105269703(0) win 16383 (DF)
18:49:26.227256 149.69.85.65.20 > MY.NET.83.50.22: S 1657904554:1657904554(0) win 16383 (DF)
19:37:53.536652 149.69.85.65.20 > MY.NET.186.198.22: S 3121786201:3121786201(0) win 16383 (DF)
19:37:53.536980 149.69.85.65.20 > MY.NET.223.76.22: S 2535195653:2535195653(0) win 16383 (DF)
20:23:45.174780 149.69.85.65.20 > MY.NET.253.212.22: S 2148637354:2148637354(0) win 16383 (DF)
22:11:58.666148 149.69.85.65.20 > MY.NET.132.70.22: S 2788760079:2788760079(0) win 16383 (DF)
        :
        :
        :
[5 Dec ...]
04:09:35.725747 149.69.85.65.20 > MY.NET.24.234.22: S 2517150545:2517150545(0) win 16383 (DF)
04:09:35.727293 149.69.85.65.20 > MY.NET.61.112.22: S 1628242169:1628242169(0) win 16383 (DF)
04:09:35.727798 149.69.85.65.20 > MY.NET.97.246.22: S 2442363253:2442363253(0) win 16383 (DF)
04:09:35.728948 149.69.85.65.20 > MY.NET.134.124.22: S 1516061231:1516061231(0) win 16383 (DF)
04:09:35.729401 149.69.85.65.20 > MY.NET.171.2.22: S 2274091846:2274091846(0) win 16383 (DF)
04:09:35.729733 149.69.85.65.20 > MY.NET.207.136.22: S 1263654121:1263654121(0) win 16383 (DF)
05:01:53.515893 149.69.85.65.20 > MY.NET.91.248.22: S 1300803353:1300803353(0) win 16383 (DF)
05:12:50.074005 149.69.85.65.20 > MY.NET.26.142.22: S 1540461245:1540461245(0) win 16383 (DF)
05:12:50.074471 149.69.85.65.20 > MY.NET.63.20.22: S 2310691867:2310691867(0) win 16383 (DF)
05:12:50.074602 149.69.85.65.20 > MY.NET.63.20.22: S 2310691867:2310691867(0) win 16383 (DF)
05:12:50.075101 149.69.85.65.20 > MY.NET.99.154.22: S 1318554152:1318554152(0) win 16383 (DF)
05:25:35.554361 149.69.85.65.20 > MY.NET.34.48.22: S 2277649205:2277649205(0) win 16383 (DF)
05:25:35.554696 149.69.85.65.20 > MY.NET.70.182.22: S 1268990159:1268990159(0) win 16383 (DF)
05:25:35.555322 149.69.85.65.20 > MY.NET.107.60.22: S 1903485238:1903485238(0) win 16383 (DF)
05:25:35.555674 149.69.85.65.20 > MY.NET.143.194.22: S 2855227857:2855227857(0) win 16383 (DF)
05:25:35.556002 149.69.85.65.20 > MY.NET.180.72.22: S 2135358137:2135358137(0) win 16383 (DF)



-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: