Security Incidents mailing list archives

Re: slowish ssh scan from 149.69.85.65

From: Jim Watt <wattjg () appliedbiosystems com>
Date: Wed, 05 Dec 2001 12:18:54 -0800

--On 12/05/2001 11:52 AM -0600 Glenn Forbes Fleming Larratt wrote:

} On Wed, 5 Dec 2001, Russell Fulton wrote:
}> 
}> starting on 4th Dec 2001 at 19:47 (UTC) we saw an unusual scan from
}> 149.69.85.65 (owned by St. John Fisher College (NET-PSINET-B-69)) who
}> have been notified -- no response yet.
} 
} Us, too (i.e. noted and blocked) (timestamps in CST [6hr west of UTC]):

Yep, something's up all right.  Not as many as yours, and not
from that machine, but very unusual:

Dec  4 23:25:53 sshd[7496]: Did not receive identification
  string from 211.58.254.51
Dec  4 23:27:24 sshd[7509]: Did not receive identification
  string from 211.58.254.51

That network's in Korea.

Only one other, from a network in Mexico:

Nov 30 19:07:02 sshd[54444]: Did not receive identification
  string from 148.246.138.105.

That's a week's worth, which is all the machine keeps.
Times are PST.

Jim
--
Jim Watt                               wattjg () appliedbiosystems com
Applied Biosystems                     Voice (desk): +1 408 577 2228
3833 North First Street                Fax:          +1 408 894 9307
San Jose CA 95134-1701                 Voice (main): +1 408 577 2200


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

slowish ssh scan from 149.69.85.65 Russell Fulton (Dec 04)
- Re: slowish ssh scan from 149.69.85.65 Nate Campi (Dec 05)
  - Re: slowish ssh scan from 149.69.85.65 Andreas Östling (Dec 05)
- Re: slowish ssh scan from 149.69.85.65 Glenn Forbes Fleming Larratt (Dec 05)
  - Re: slowish ssh scan from 149.69.85.65 Jim Watt (Dec 05)