Security Incidents mailing list archives

Re: port 22->port 22 scans

From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sat, 13 Oct 2001 23:12:03 +0200 (MET DST)

On Sat, 6 Oct 2001, spaceork wrote:

This appears to be the work of the synscan tool. Did the common IP IDs
happen to have a value of 39426?


No. Probes from two different sweeps had different IP IDs.
But wait...it was 39426 during the first sweep (from 162.105.195.118).


On Sun, 7 Oct 2001, Gushterul wrote:

because of exploit of ssh made in zip/teso i guess :)


An exploit of the old bug in deattack.c?


On Mon, 8 Oct 2001 RWilkie () sfe com au wrote:

Looks like it is just http://www.monkey.org/~provos/scanssh/ doing the
rounds again. I've been picking up a fair few SSHD probes from kiddies
around the place.


I am not sure. That program appears to use a random source port and does
not set fixed (nonzero) IP ID for all probes it sends. Moreover, scanssh
establishes real TCP connection to hosts where open port 22/tcp has been
found, but I did not experience anything like that.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

port 22->port 22 scans Pavel Kankovsky (Oct 06)
- Re: port 22->port 22 scans spaceork (Oct 07)
- Re: port 22 scans + 53 scans Steven S (Oct 07)
  - Re: port 22 scans + 53 scans John Sage (Oct 08)
- <Possible follow-ups>
- RE: port 22->port 22 scans Dean Cunningham (Oct 07)
- Re: port 22->port 22 scans Pavel Kankovsky (Oct 13)