Security Incidents mailing list archives

Re: port 22->port 22 scans

From: spaceork <spaceork () dhp com>
Date: Sat, 6 Oct 2001 15:43:44 -0400 (EDT)

On Sat, 6 Oct 2001, Pavel Kankovsky wrote:

The traits of all those sweeps were very similar:

- the source port of all probes was 22
- all probes within one sweep had the same IP ID (*)
- lost/filtered probes were not retried
- the sweeps were pretty fast, hundreds of addresses in few seconds
- no actual i/o was done

(*) With 1 exception that had a TTL different from other logged probes
in the sweep as well.


This appears to be the work of the synscan tool. Did the common IP IDs
happen to have a value of 39426? 


        -spaceork 



"All the time they were creating
 What has destroyed them,
 And they fall with the burden
 They built."
--------------------------------
spaceork () dhp com
http://www.dhp.com/~spaceork


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

port 22->port 22 scans Pavel Kankovsky (Oct 06)
- Re: port 22->port 22 scans spaceork (Oct 07)
- Re: port 22 scans + 53 scans Steven S (Oct 07)
  - Re: port 22 scans + 53 scans John Sage (Oct 08)
- <Possible follow-ups>
- RE: port 22->port 22 scans Dean Cunningham (Oct 07)
- Re: port 22->port 22 scans Pavel Kankovsky (Oct 13)