Security Incidents mailing list archives

Re: Pretty stealthy SSH scanning seen on the Internet.

From: kent () unit liu se (Kent Engström)
Date: 10 Sep 2001 12:23:21 +0200

Dug Song <dugsong () monkey org> writes:

On Sun, Sep 09, 2001 at 02:40:36PM -0400, Erik Fichtner wrote:

Anyone else seen this, or have any further information?


dollars to donuts it's just niels:

      http://www.monkey.org/~provos/scanssh/

he'll be publishing his results soon at a conference near you...

From the logs posted by Erik Fichtner <techs () obfuscation org>:
Sep  9 15:21:22 hostA sshd[64608]: Did not receive ident string from 199.171.27.50.


dig -x 199.171.27.50  gives:

50.27.171.199.in-addr.arpa.  57m20s IN PTR  www10.gti.net.


Would Niels really use a machine whose PTR record was "www10.gti.net"
to do that kind of scan?

We have seen this IP scan our netblock too.

-- 
Kent Engström,          Linköping University Incident Response Team
kent () unit liu se     abuse () liu se
+46 13 28 1744

UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Pretty stealthy SSH scanning seen on the Internet. Erik Fichtner (Sep 09)
- Re: Pretty stealthy SSH scanning seen on the Internet. Dug Song (Sep 09)
  - Re: Pretty stealthy SSH scanning seen on the Internet. Kent Engström (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. Andreas Östling (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. dove (Sep 10)
- Re: Pretty stealthy SSH scanning seen on the Internet. Crist J. Clark (Sep 11)