Re: Spike in SSH scans

[Shaun <shaun () shaunc com>]

I saw an unusually high volume of scans between 2200 and 0000 last night
on my residential connection. They all made their initial probe using
'mysql' as the user. On average it looks like each of them made around
15 attempts, which is fairly low, and points to a scanner smart enough
to recognize that it's been firewalled out.

So far, nothing out of the ordinary at work or on dedicated servers.
Maybe it's only targeting consumer connections? FWIW, my residential IP
is in 75.65/16.

-s

On Sun, 21 Oct 2007 21:20:38 -0600
James Lay <jlay () slave-tothe-box net> wrote:

> Anyone else seeing these?  Started about 3 hours ago..here¹s a snipit:
>
> 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc
> activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22
>
> And a current list of hits in the last 3 hours:
>
> 124.39.168.43
> 129.13.250.46
> 145.253.128.85
> 148.245.157.217
> 149.99.20.238
> 161.106.180.173
> 193.158.0.195
> 194.25.114.106
> 195.113.185.38
> 195.138.155.54
> 195.228.238.186
> 195.56.72.157
> 195.73.54.73
> 200.126.111.38
> 200.62.177.91
> 200.79.37.194
> 201.16.17.246
> 201.216.245.25
> 201.245.109.170
> 211.139.69.28
> 212.101.30.8
> 212.202.248.130
> 212.248.23.6
> 213.136.105.130
> 213.156.69.126
> 213.186.47.65
> 213.255.77.62
> 213.35.211.206
> 213.66.184.110
> 213.84.74.76
> 216.193.233.168
> 217.110.171.150
> 217.113.71.130
> 217.151.68.244
> 217.156.103.234
> 217.160.19.157
> 217.71.214.191
> 218.207.69.8
> 218.249.108.166
> 60.12.130.117
> 62.105.180.178
> 62.112.158.141
> 62.218.215.134
> 62.65.142.213
> 62.76.246.253
> 64.81.228.200
> 66.236.209.227
> 67.118.242.129
> 67.132.173.150
> 70.107.224.252
> 70.151.62.113
> 72.248.139.227
> 77.104.241.141
> 80.200.249.230
> 80.201.241.44
> 80.33.222.48
> 80.51.139.82
> 80.55.142.66
> 81.180.88.6
> 81.68.198.23
> 81.75.124.51
> 82.103.102.12
> 82.141.44.153
> 82.239.231.89
> 83.15.246.226
> 83.151.18.189
> 83.19.34.46
> 83.227.183.88
> 83.236.170.54
> 83.246.96.38
> 83.246.96.54
> 83.65.141.94
> 85.114.130.199
> 85.120.129.130
> 85.17.10.106
> 85.214.54.182
> 85.48.224.186
> 87.127.193.225
> 88.32.56.1
> 89.110.147.183
> 89.171.12.78
> 91.192.189.19
>
> James


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/