Re: Voluminous SSHd scanning; possible worm activity?

[Clarissa Cook <clarissa () UU NET>]

 "gffl" == Glenn Forbes Fleming Larratt <glratt () io com> writes:

gffl> We saw, on 9 December between 1327 and 1340 UTC, simultaneous ssh scans from:

*snip*

gffl> . They began and ended very abruptly at the times noted above, and
gffl> came from mostly North America (9 from 4 different Canadian provinces,
gffl> and 9 from 7 different US states), but also from .kr, .be, .au and
gffl> .hk . In every case that I could determine, it appeared to be the
gffl> usual suspects - home broadband networks.

gffl> I suspect either a worm or a coordinated zombie attack.

...Or one person scanning you and then throwing random source addresses
in as well to obfuscate the actual address scanned from.  This was
more popular in the past, but it is still done.

See nmap -D for example...

Clarissa

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com