Security Incidents mailing list archives
Re: Voluminous SSHd scanning; possible worm activity?
From: Jacek Lipkowski <sq5bpf () acid ch pw edu pl>
Date: Tue, 11 Dec 2001 09:35:49 +0100 (CET)
On Sun, 9 Dec 2001, Jay D. Dyson wrote:
I've been seeing a lot of SSHd scans of late. That in itself isn't odd, but the sheer volume of the scans is what's got my attention.
[...]
Has anyone else seen this sort of thing from their systems?
yes, there is a big increase in scans for ssh, ftp, and lpd, at least on the networks that i monitor. there also seems to be some automated tool that scans with source port=dest. port and some other hardcoded values: Dec 10 16:32:24 wall kernel: FORWARD: IN=eth0 OUT=eth1 SRC=61.129.67.43 DST=my.little.net.19 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=20224 PROTO=TCP SPT=22 DPT=22 WINDOW=33666 RES=0x00 SYN URGP=0 Dec 10 16:32:24 wall kernel: FORWARD: IN=eth0 OUT=eth1 SRC=61.129.67.43 DST=my.little.net.15 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=20224 PROTO=TCP SPT=22 DPT=22 WINDOW=33666 RES=0x00 SYN URGP=0 [...] also rpc scans, which have been relatively quiet for a while Dec 7 11:22:10 195.20.70.241:111 -> my.net.1:111 SYNFIN ******SF Dec 7 11:22:10 195.20.70.241:111 -> my.net.4:111 SYNFIN ******SF Dec 7 11:22:11 195.20.70.241:111 -> my.net.3:111 SYNFIN ******SF seems that christmas is coming and the kids have more time merry christmas :) jacek ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Armando Ortiz (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Russell Fulton (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jacek Lipkowski (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
- Re: Voluminous SSHd scanning; possible worm activity? Clarissa Cook (Dec 17)
- <Possible follow-ups>
- Re: Voluminous SSHd scanning; possible worm activity? Neil Dickey (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
(Thread continues...)