Security Incidents mailing list archives
Re: port 22->port 22 scans
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sat, 13 Oct 2001 23:12:03 +0200 (MET DST)
On Sat, 6 Oct 2001, spaceork wrote:
This appears to be the work of the synscan tool. Did the common IP IDs happen to have a value of 39426?
No. Probes from two different sweeps had different IP IDs. But wait...it was 39426 during the first sweep (from 162.105.195.118). On Sun, 7 Oct 2001, Gushterul wrote:
because of exploit of ssh made in zip/teso i guess :)
An exploit of the old bug in deattack.c? On Mon, 8 Oct 2001 RWilkie () sfe com au wrote:
Looks like it is just http://www.monkey.org/~provos/scanssh/ doing the rounds again. I've been picking up a fair few SSHD probes from kiddies around the place.
I am not sure. That program appears to use a random source port and does not set fixed (nonzero) IP ID for all probes it sends. Moreover, scanssh establishes real TCP connection to hosts where open port 22/tcp has been found, but I did not experience anything like that. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- port 22->port 22 scans Pavel Kankovsky (Oct 06)
- Re: port 22->port 22 scans spaceork (Oct 07)
- Re: port 22 scans + 53 scans Steven S (Oct 07)
- Re: port 22 scans + 53 scans John Sage (Oct 08)
- <Possible follow-ups>
- RE: port 22->port 22 scans Dean Cunningham (Oct 07)
- Re: port 22->port 22 scans Pavel Kankovsky (Oct 13)