Security Incidents mailing list archives

RE: Increase in SSH scans

From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Mon, 30 Sep 2002 10:29:51 -0400


# grep 'Sep\ 2[0-2]' /var/log/messages | grep DPT=22 | wc
    139    3319   35803

# grep 'Sep\ 2[7-9]' /var/log/messages | grep DPT=22 | wc
    304    7455   78505

Yep.  Probe numbers have doubled grabbing two recent three day periods.

Let's have a look at a pair of seven day periods... the first one being in the beginning of last month.

# gunzip -c /var/log/messages1[0-1].gz | grep 'Aug\ \ [1-7]' | grep DPT=22 | wc
    430    9936  106910


# grep 'Sep\ 2[2-9]' /var/log/messages | grep 'DPT=22' | wc
   1073   26589  273348

Enough for me to call it a trend.



-----Original Message-----
From: Robert Rich [mailto:rrich () gstisecurity com]
Sent: Monday, September 09, 2002 6:14 AM
To: incidents () securityfocus com
Subject: Increase in SSH scans


I will normally get two or three hits on ssh per day.

 From LogWatch this morning:

 ---------------- Connections (secure-log) Begin ------------------- 

**Unmatched Entries**
Sep 29 09:38:38 low sshd[17083]: Did not receive identification string from 155.135.21.52
Sep 29 09:38:50 low sshd[17084]: Did not receive identification string from 155.135.21.52
Sep 29 10:39:59 low sshd[17134]: Did not receive identification string from 64.86.51.194
Sep 29 11:14:58 low sshd[17172]: Did not receive identification string from 192.100.172.221
Sep 29 11:15:34 low sshd[17175]: Did not receive identification string from 141.158.192.201
Sep 29 11:48:20 low sshd[17201]: Did not receive identification string from 63.94.149.93
Sep 29 11:51:24 low sshd[17211]: Did not receive identification string from 195.39.45.186
Sep 29 18:44:03 low sshd[17692]: Did not receive identification string from 66.84.209.226
Sep 29 19:03:35 low sshd[17718]: Did not receive identification string from 66.150.105.38
Sep 29 19:18:32 low sshd[17736]: Did not receive identification string from 210.33.44.12
Sep 29 19:59:58 low sshd[17774]: Did not receive identification string from 163.180.17.91
Sep 29 20:33:03 low sshd[17807]: Did not receive identification string from 196.40.3.74
Sep 29 20:42:53 low sshd[17815]: Did not receive identification string from 140.127.192.30

At least one of the hosts involved shows up at dshield.org with evidence 
of a slapper infestation.  

Anyone seeing anything similar?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Increase in SSH scans Robert Rich (Sep 30)
- WinXP integrated packet filtering Maxime Ducharme (Sep 30)
- <Possible follow-ups>
- RE: Increase in SSH scans Keith T. Morgan (Sep 30)