Security Incidents mailing list archives
Re: remote openssh probe or crack?.
From: gabriel rosenkoetter <gr () eclipsed net>
Date: Fri, 14 Jun 2002 12:23:47 -0400
On Thu, Jun 13, 2002 at 04:23:34PM -0500, m () rl206 org wrote:
Speaking of which, has else anyone noticed an upturn in ssh scanning lately?
Not especially: grappa:/var/log# grep -v '@.*:.* p ' ipmon | grep ssh | wc -l 3 grappa:/var/log# zcat ipmon.0.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 1 grappa:/var/log# zcat ipmon.1.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 3 These are all hits on the IP address I IRC from (also the NAT'ed address for other DHCP'ed machines in my internal network, but there weren't any of those turned on in the span of time covered by those logs). Sources: 148.208.229.1 at Jun 14 04:14:21, 04:17:09, and 04:21:09, all from source port 1106 66.122.116.3 at Jun 13 04:18:22, source port 22 (curious) 210.179.223.220 at Jun 11 04:08:08, source port 22 again 68.40.135.83 at Jun 11 07:55:07 and 07:55:10, source port 22 None of these are scanssh; it uses a high source port even as root. With the exception of 210.179.223.220, these are US DSL/cable customers. The standout is Korean. Nothing shocking. uriel:/var/log# grep -v '@.*:.* p ' ipmon | grep ssh | wc -l 0 uriel:/var/log# zcat ipmon.0.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 0 uriel:/var/log# zcat ipmon.1.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 1 The one hit there is from 66.122.116.3 too and happened nine seconds later than the one above. So a PacBell DSL customer was scanning Speakeasy (I am one in 66.92.234/24) customers. Whoop-de-doo. -- gabriel rosenkoetter gr () eclipsed net
Attachment:
_bin
Description:
Current thread:
- Re: Odd traffic on port 7002 need help figuring it out., (continued)
- Re: Odd traffic on port 7002 need help figuring it out. nito (Jun 13)
- Re: Odd traffic on port 7002 need help figuring it out. steveg (Jun 13)
- Re: Odd traffic on port 7002 need help figuring it out. nito (Jun 13)
- Re: remote openssh probe or crack?. Justin Coffey (Jun 13)
- Re: remote openssh probe or crack?. Oblek (Jun 13)
- Re: remote openssh probe or crack?. Skip Carter (Jun 13)
- Re: remote openssh probe or crack?. Nate Campi (Jun 13)
- Re: remote openssh probe or crack?. woof (Jun 13)
- Re: remote openssh probe or crack?. Christian Vogel (Jun 13)
- Re: remote openssh probe or crack?. m () rl206 org (Jun 13)
- Re: remote openssh probe or crack?. Rich Henning (Jun 14)
- Re: remote openssh probe or crack?. gabriel rosenkoetter (Jun 14)