Security Incidents mailing list archives

Anyone else seeing a spike in SSHd scans?

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Fri, 27 Jun 2003 12:55:52 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

        I've seen an unusual spike in SSHd scans in the past 20 hours on
systems I maintain for my employer and those I run on my own time.  The
largest spike began yesterday between 12:16 and 18:16 hours (PDT) and the
others have begun trickling in on my non-work networks since around 08:00
hours today.

        It's all the usual suspects, of course: systems from Malaysia, the
Netherlands, a DSL provider in Norway, and a Cable service in Taiwan.

        What's intrigued me about this is that SSHd scans had been fairly
quiet for a time, then these scans generate more alerts than I've seen in
the past two months on both work and personal systems.  The last time a
similar series of scans occurred (10/2001), I wondered aloud if there
wasn't a new 0day exploit in the wild.  Less than two weeks later, Dave
Dittrich confirmed as much.

        So, to quote a phrase from Jurrasic Park, "Hold on to your butt."

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `Red meat isn't bad for you, fuzzy green meat is.'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE+/KFMNlg1oZSC9mkRAjS1AJ4tzm2kzHXvyjmIKyCX/KI/Xzb+wACfa0Ph
4TI2EDbo+kxZqisE5fiUkmk=
=8s6l
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Anyone else seeing a spike in SSHd scans? Jay D. Dyson (Jun 27)
- Re: Anyone else seeing a spike in SSHd scans? Dave Laird (Jun 28)
  - Re: Anyone else seeing a spike in SSHd scans? p00p (Jun 29)
    - Re: Anyone else seeing a spike in SSHd scans? Dave Laird (Jun 29)