Security Incidents mailing list archives
Re: Voluminous SSHd scanning; possible worm activity?
From: Clarissa Cook <clarissa () UU NET>
Date: 17 Dec 2001 15:57:14 -0500
"gffl" == Glenn Forbes Fleming Larratt <glratt () io com> writes: gffl> We saw, on 9 December between 1327 and 1340 UTC, simultaneous ssh scans from: *snip* gffl> . They began and ended very abruptly at the times noted above, and gffl> came from mostly North America (9 from 4 different Canadian provinces, gffl> and 9 from 7 different US states), but also from .kr, .be, .au and gffl> .hk . In every case that I could determine, it appeared to be the gffl> usual suspects - home broadband networks. gffl> I suspect either a worm or a coordinated zombie attack. ...Or one person scanning you and then throwing random source addresses in as well to obfuscate the actual address scanned from. This was more popular in the past, but it is still done. See nmap -D for example... Clarissa ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Armando Ortiz (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Russell Fulton (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jacek Lipkowski (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
- Re: Voluminous SSHd scanning; possible worm activity? Clarissa Cook (Dec 17)
- <Possible follow-ups>
- Re: Voluminous SSHd scanning; possible worm activity? Neil Dickey (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Damien Miller (Dec 11)
(Thread continues...)