Full Disclosure mailing list archives
Re: Spike in SSH scans
From: Shaun <shaun () shaunc com>
Date: Mon, 22 Oct 2007 12:28:41 -0500
I saw an unusually high volume of scans between 2200 and 0000 last night on my residential connection. They all made their initial probe using 'mysql' as the user. On average it looks like each of them made around 15 attempts, which is fairly low, and points to a scanner smart enough to recognize that it's been firewalled out. So far, nothing out of the ordinary at work or on dedicated servers. Maybe it's only targeting consumer connections? FWIW, my residential IP is in 75.65/16. -s On Sun, 21 Oct 2007 21:20:38 -0600 James Lay <jlay () slave-tothe-box net> wrote:
Anyone else seeing these? Started about 3 hours ago..hereĀ¹s a snipit: 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22 And a current list of hits in the last 3 hours: 124.39.168.43 129.13.250.46 145.253.128.85 148.245.157.217 149.99.20.238 161.106.180.173 193.158.0.195 194.25.114.106 195.113.185.38 195.138.155.54 195.228.238.186 195.56.72.157 195.73.54.73 200.126.111.38 200.62.177.91 200.79.37.194 201.16.17.246 201.216.245.25 201.245.109.170 211.139.69.28 212.101.30.8 212.202.248.130 212.248.23.6 213.136.105.130 213.156.69.126 213.186.47.65 213.255.77.62 213.35.211.206 213.66.184.110 213.84.74.76 216.193.233.168 217.110.171.150 217.113.71.130 217.151.68.244 217.156.103.234 217.160.19.157 217.71.214.191 218.207.69.8 218.249.108.166 60.12.130.117 62.105.180.178 62.112.158.141 62.218.215.134 62.65.142.213 62.76.246.253 64.81.228.200 66.236.209.227 67.118.242.129 67.132.173.150 70.107.224.252 70.151.62.113 72.248.139.227 77.104.241.141 80.200.249.230 80.201.241.44 80.33.222.48 80.51.139.82 80.55.142.66 81.180.88.6 81.68.198.23 81.75.124.51 82.103.102.12 82.141.44.153 82.239.231.89 83.15.246.226 83.151.18.189 83.19.34.46 83.227.183.88 83.236.170.54 83.246.96.38 83.246.96.54 83.65.141.94 85.114.130.199 85.120.129.130 85.17.10.106 85.214.54.182 85.48.224.186 87.127.193.225 88.32.56.1 89.110.147.183 89.171.12.78 91.192.189.19 James
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Spike in SSH scans James Lay (Oct 22)
- Re: Spike in SSH scans Adrian (Oct 22)
- Re: Spike in SSH scans J. Oquendo (Oct 22)
- Re: Spike in SSH scans Shaun (Oct 22)
- Re: Spike in SSH scans Steven Adair (Oct 22)
- Re: Spike in SSH scans Adrian (Oct 22)