Security Incidents mailing list archives

Re: Pretty stealthy SSH scanning seen on the Internet.

From: Andreas Östling <andreaso () it su se>
Date: Mon, 10 Sep 2001 12:55:58 +0200


On Monday 10 September 2001 03:15, Dug Song wrote:

On Sun, Sep 09, 2001 at 02:40:36PM -0400, Erik Fichtner wrote:

Anyone else seen this, or have any further information?


dollars to donuts it's just niels:

      http://www.monkey.org/~provos/scanssh/

he'll be publishing his results soon at a conference near you...


199.171.27.50 (www10.gti.net) hit us with that SSH scan as well.
We also saw another, slightly different, SSH scan from 62.26.167.99 a few 
hours later (although going to networks in a different class-B).
We haven't seen any SSH sweeps for a long time, and perhaps the two were 
related. Maybe people at a conference not very near us will soon find out.

Timestamps are UTC+2.

Sep  8 21:45:29 199.171.27.50:22 -> x.x.85.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.86.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.87.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.88.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.89.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.90.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.91.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.92.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.93.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.94.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.95.1:22 SYN ******S*
...

Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.1:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.2:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.3:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.4:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.5:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.6:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.7:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.8:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.9:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.10:22 SYN ******S*
...


Regards,
Andreas Östling

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Pretty stealthy SSH scanning seen on the Internet. Erik Fichtner (Sep 09)
- Re: Pretty stealthy SSH scanning seen on the Internet. Dug Song (Sep 09)
  - Re: Pretty stealthy SSH scanning seen on the Internet. Kent Engström (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. Andreas Östling (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. dove (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. Crist J. Clark (Sep 11)