Security Incidents mailing list archives

ssh scans

From: "Chad Mawson" <CMAWSON () woodsaitken com>
Date: Fri, 28 Sep 2001 15:42:52 -0500

I vaguely remember seeing something about this a month or so ago, but I
don't remember any details.  I am getting attempts 1-2 times a day from
different IP addresses on TCP port 22.

nmap returns this:

Port    State       Protocol  Service
21      open        tcp       ftp
22      open        tcp       ssh
23      open        tcp       telnet
80      filtered    tcp       http
5001    open        tcp       commplex-link

I can't get a telnet, or http response, but ssh and ftp do.  FTP - (not
trying to log in, just getting the headers) shows:

220 ArrowPoint (5.3.1) FTP server ready
Name (216.34.77.12:root):
331 Password required
Password:
530 Login failed.
Login failed.
ftp> quit
221 Thank you for visiting. May the remainder of your day be filled with
joy.

I also can't find any good info on the port 5001, I'm assuming these
systems have been compromised, but I'd like to make sure before I start
trying to contact anyone.

Thanks

Chad Mawson
Woods & Aitken LLP

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

ssh scans Chad Mawson (Sep 28)
- Re: ssh scans Heather Adkins (Sep 28)
  - Re: ssh scans Matthew Leeds (Sep 28)