Security Incidents mailing list archives
Re: Anyone else seeing SSH scans?
From: Jon Lewis <jlewis () lewis org>
Date: Wed, 28 Jul 2004 14:23:31 -0400 (EDT)
On Tue, 27 Jul 2004, Matthew Dharm wrote:
I've noticed that several *NIX machines I have running (all of which are located in the same IP block) are periodically getting scanned via ssh for the accounts 'test' and 'guest'. The source IP varies with each scan. But I'm getting about one of these a day now. Obviously, I don't have accounts with that name on my systems, but still....
I just had a look through the logs on one of my boxes and though I don't allow incoming ssh without jumping through additional hoops, I do see that something is sequentially scanning IP space for sshds. This box has two subnets routed to/through it and those are separated by several dozen /24's worth of IP space. In most of the scans, I'm seeing all IPs in the lower subnet hit simultaneously (all within the same second) followed by the IPs in the higher subnet simultaneously hit 5s to nearly a minute later. The source IPs are all over the world (US, China, Korea, Austria to name a few) and most are running various versions of openssh. A few are currently unreachable. Has anyone successfully contacted any of the admins responsible for the scanning boxes to try to find out what's behind this? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Anyone else seeing SSH scans? Matthew Dharm (Jul 27)
- Re: Anyone else seeing SSH scans? Charles Heselton (Jul 28)
- Re: Anyone else seeing SSH scans? Ed J. Aivazian (Jul 28)
- Re: Anyone else seeing SSH scans? Seth J. Blank (Jul 28)
- Re: Anyone else seeing SSH scans? Jon Lewis (Jul 29)
- <Possible follow-ups>
- Re: Anyone else seeing SSH scans? sk (Jul 28)
- Re: Anyone else seeing SSH scans? Hossein Rafighi (Jul 29)
- RE: Anyone else seeing SSH scans? Andrew Kopp ( Tor ZEW ) (Jul 28)
- RE: Anyone else seeing SSH scans? R Michael Williams (Jul 29)
- RE: Anyone else seeing SSH scans? Ian Hayes (Jul 29)
- RE: Anyone else seeing SSH scans? GUSAIN, SUBODH (Jul 29)