Security Incidents mailing list archives

Re: Steady increase in ssh scans

From: Russell Fulton <R.FULTON () auckland ac nz>
Date: 12 Feb 2002 10:18:51 +1300

On Tue, 2002-02-12 at 05:35, TCG CSIRT wrote:


Is this a normal increase considering the vulnerabilities made public late last year?


I don't think that there is a 'normal' curve for this type of activity.  I 
strongly suspect that kiddie behaviour is more a result of fashion than 
rational thinking.  SSH is mearly C00l now!

Is anyone (everyone) else seeing the same type of activity?


I have not done the stats but my impression is that my figures would
mirror yours.  I am now seeing about 1-2 port 22 scans a day in each network 
block I monitor.

Has anyone seen evidence of a worm?


no, but then we have not had any compromises.  I have seen no random probing
that is favoured by most worms.  I do believe that there are worms out there 
that exploit BIND problems,  I regularly see random probes on udp 53. 

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Steady increase in ssh scans TCG CSIRT (Feb 11)
- Re: Steady increase in ssh scans Skip Carter (Feb 11)
- Re: Steady increase in ssh scans Russell Fulton (Feb 11)
  - Re: Steady increase in ssh scans Dave Dittrich (Feb 12)
- <Possible follow-ups>
- RE: Steady increase in ssh scans Lee Brotherston (Feb 11)
- Re: Steady increase in ssh scans Adam Manock (Feb 11)
  - Re: Steady increase in ssh scans Stuart Thomas (Feb 11)
  - Re: Steady increase in ssh scans Thomas Themel (Feb 12)
- RE: Steady increase in ssh scans Etienne Joubert (Feb 12)