Re: remote openssh probe or crack?.

[gabriel rosenkoetter <gr () eclipsed net>]

On Thu, Jun 13, 2002 at 04:23:34PM -0500, m () rl206 org wrote:
>  Speaking of which, has else anyone noticed an upturn in 
> ssh scanning lately? 

Not especially:

grappa:/var/log# grep -v '@.*:.* p ' ipmon | grep ssh | wc -l
       3
grappa:/var/log# zcat ipmon.0.gz | grep -v '@.*:.* p ' | grep ssh | wc -l
       1
grappa:/var/log# zcat ipmon.1.gz | grep -v '@.*:.* p ' | grep ssh | wc -l
       3

These are all hits on the IP address I IRC from (also the NAT'ed
address for other DHCP'ed machines in my internal network, but
there weren't any of those turned on in the span of time covered
by those logs).

Sources:

148.208.229.1 at Jun 14 04:14:21, 04:17:09, and 04:21:09, all from
  source port 1106
66.122.116.3 at Jun 13 04:18:22, source port 22 (curious)
210.179.223.220 at Jun 11 04:08:08, source port 22 again
68.40.135.83 at Jun 11 07:55:07 and 07:55:10, source port 22

None of these are scanssh; it uses a high source port even as root.
With the exception of 210.179.223.220, these are US DSL/cable
customers. The standout is Korean. Nothing shocking.

uriel:/var/log# grep -v '@.*:.* p ' ipmon | grep ssh | wc -l
       0
uriel:/var/log# zcat ipmon.0.gz | grep -v '@.*:.* p ' | grep ssh | wc -l
       0
uriel:/var/log# zcat ipmon.1.gz | grep -v '@.*:.* p ' | grep ssh | wc -l
       1

The one hit there is from 66.122.116.3 too and happened nine seconds
later than the one above. So a PacBell DSL customer was scanning
Speakeasy (I am one in 66.92.234/24) customers. Whoop-de-doo.

-- 
gabriel rosenkoetter
gr () eclipsed net

Attachment: _bin
Description: