Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Voluminous SSHd scanning; possible worm activity?

From: Jacek Lipkowski <sq5bpf () acid ch pw edu pl>
Date: Tue, 11 Dec 2001 09:35:49 +0100 (CET)
On Sun, 9 Dec 2001, Jay D. Dyson wrote:


      I've been seeing a lot of SSHd scans of late.  That in itself
isn't odd, but the sheer volume of the scans is what's got my attention. 

[...]

      Has anyone else seen this sort of thing from their systems?


yes, there is a big increase in scans for ssh, ftp, and lpd, at least on
the networks that i monitor. there also seems to be some automated tool
that scans with source port=dest. port and some other hardcoded values:

Dec 10 16:32:24 wall kernel: FORWARD: IN=eth0 OUT=eth1 SRC=61.129.67.43
DST=my.little.net.19 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=20224 PROTO=TCP
SPT=22 DPT=22 WINDOW=33666 RES=0x00 SYN URGP=0
Dec 10 16:32:24 wall kernel: FORWARD: IN=eth0 OUT=eth1 SRC=61.129.67.43
DST=my.little.net.15 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=20224 PROTO=TCP
SPT=22 DPT=22 WINDOW=33666 RES=0x00 SYN URGP=0
[...]

also rpc scans, which have been relatively quiet for a while

Dec  7 11:22:10 195.20.70.241:111 -> my.net.1:111 SYNFIN ******SF
Dec  7 11:22:10 195.20.70.241:111 -> my.net.4:111 SYNFIN ******SF
Dec  7 11:22:11 195.20.70.241:111 -> my.net.3:111 SYNFIN ******SF

seems that christmas is coming and the kids have more time 

merry christmas :)

jacek





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: