fast ssh scans

[Can Erkin Acar <canacar () eee metu edu tr>]

Recently we have observed a fast scan for the SSH service from a single
host to our complete Class B address range. The owner of the host is
notified and they are investigating the situation. Since this is the
first time I have encountered such a scan, I wanted to share the details:

The complete class B address space was scanned very rapidly first by a
SYN-FIN scan, followed by a TCP-Connect scan to the ports found open.
The second connection was almost immediate, suggesting a single tool
doing both scans.

The host appears to run linux (from passive OS fingerprint)
and the host was both a dns server and mail exchanger for its domain.

Log information from a single host is below, Times are in EET (GMT+0200)

* Packet logs (src and dest. address obfuscated).
  First line is the SYN-FIN scan src port 22 and SF flags imply root access
  to the machine. Second line is the probe.

Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 
27, id 39426)
Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 
<mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236)

* SSH log of the same machine: Shows that the second probe was a real
  connection (not a SYN scan). It is probably used to collect version
  information from the server. I believe it is NOT scanssh since scanssh
  does send a version string.

Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from 209.26.178.170.


It looks like a custom tool looking for vulnerable sshd versions.
Has anyone encountered something similiar?


Can


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com