Security Incidents mailing list archives

Re: Voluminous SSHd scanning; possible worm activity?

From: Glenn Forbes Fleming Larratt <glratt () io com>
Date: Mon, 10 Dec 2001 12:52:17 -0600 (CST)

We saw, on 9 December between 1327 and 1340 UTC, simultaneous ssh scans from:

#hts    sourceIP
 339 207.218.213.222
 270 64.114.104.12
 234 63.10.45.88
 213 211.233.132.35
 212 216.209.168.65
 190 216.195.10.27
 185 213.189.160.210
 177 64.180.201.203
 171 24.201.41.23
 159 66.168.57.102
 147 202.161.118.230
 144 65.93.74.201
 143 24.201.94.113
 141 24.77.75.155
 138 65.94.8.16
 135 24.250.74.60
 132 64.118.40.136
 130 216.78.37.190
 126 203.218.49.193
 105 147.26.198.185
 100 209.197.185.2
  94 216.78.32.21

. They began and ended very abruptly at the times noted above, and
came from mostly North America (9 from 4 different Canadian provinces,
and 9 from 7 different US states), but also from .kr, .be, .au and
.hk . In every case that I could determine, it appeared to be the
usual suspects - home broadband networks.

I suspect either a worm or a coordinated zombie attack.

        -g

On Sun, 9 Dec 2001, Jay D. Dyson wrote:

Hi folks,

      I've been seeing a lot of SSHd scans of late.  That in itself
isn't odd, but the sheer volume of the scans is what's got my attention.
These sorts of scans used to occur infrequently, but now they're coming
within minutes of each other, and they're coming from all over the globe.

      It's not in my nature to speculate wildly, but the sheer volume of
these scans, coupled with the variety of their origins (not to mention the
timing) leads me to wonder if a worm isn't at play here.

      Has anyone else seen this sort of thing from their systems?

- -Jay


-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Armando Ortiz (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Russell Fulton (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jacek Lipkowski (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
  - Re: Voluminous SSHd scanning; possible worm activity? Clarissa Cook (Dec 17)
- <Possible follow-ups>
- Re: Voluminous SSHd scanning; possible worm activity? Neil Dickey (Dec 10)
  - Re: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
  - RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
  - Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
  - Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
    - Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)

(Thread continues...)