Security Incidents mailing list archives
Re: Pretty stealthy SSH scanning seen on the Internet.
From: kent () unit liu se (Kent Engström)
Date: 10 Sep 2001 12:23:21 +0200
Dug Song <dugsong () monkey org> writes:
On Sun, Sep 09, 2001 at 02:40:36PM -0400, Erik Fichtner wrote:Anyone else seen this, or have any further information?dollars to donuts it's just niels: http://www.monkey.org/~provos/scanssh/ he'll be publishing his results soon at a conference near you...
From the logs posted by Erik Fichtner <techs () obfuscation org>: Sep 9 15:21:22 hostA sshd[64608]: Did not receive ident string from 199.171.27.50.
dig -x 199.171.27.50 gives:
50.27.171.199.in-addr.arpa. 57m20s IN PTR www10.gti.net.
Would Niels really use a machine whose PTR record was "www10.gti.net" to do that kind of scan? We have seen this IP scan our netblock too. -- Kent Engström, Linköping University Incident Response Team kent () unit liu se abuse () liu se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Pretty stealthy SSH scanning seen on the Internet. Erik Fichtner (Sep 09)
- Re: Pretty stealthy SSH scanning seen on the Internet. Dug Song (Sep 09)
- Re: Pretty stealthy SSH scanning seen on the Internet. Kent Engström (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. Andreas Östling (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. dove (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. Crist J. Clark (Sep 11)
- Re: Pretty stealthy SSH scanning seen on the Internet. Dug Song (Sep 09)