Security Incidents mailing list archives

RE: Anyone else seeing SSH scans?

From: "GUSAIN, SUBODH" <subodh.gusain () hp com>
Date: Wed, 28 Jul 2004 17:48:57 -0400

Hi folks,
i am seeing the following logs. I don't see any external source IP though. The IP that i am seeing is an ip on the 
internal interface But, it definitely looks like a scan but my serer is dropping it.
Can someone pls confirm!!!

For privacy reasons, i have commented out the ip address with the string "internal IP"

Jul 28 14:55:57 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: Connection refused
Jul 28 14:55:57 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: failed.
Jul 28 14:55:58 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: Connection refused
Jul 28 14:55:58 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: failed.
Jul 28 14:55:59 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: Connection refused
Jul 28 14:55:59 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: failed.
Jul 28 14:56:00 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: Connection refused
Jul 28 14:56:00 machine1 sshd[29360]: [ID 800047 auth.error] error: connect_to internal IP port 8888: failed.
Jul 28 14:57:05 machine1 sshd[29665]: [ID 800047 auth.error] error: connect_to 127.0.0.1 port 8888: Connection refused
Jul 28 14:57:05 machine1 sshd[29665]: [ID 800047 auth.error] error: connect_to 127.0.0.1 port 8888: failed.
Jul 28 14:57:07 machine1 sshd[29665]: [ID 800047 auth.error] error: connect_to 127.0.0.1 port 8888: Connection refused
Jul 28 14:57:07 machine1 sshd[29665]: [ID 800047 auth.error] error: connect_to 127.0.0.1 port 8888: failed.

-----Original Message-----
From: sk () onlaw at [mailto:sk () onlaw at]
Sent: Wednesday, July 28, 2004 5:30 AM
To: incidents () securityfocus com
Subject: Re: Anyone else seeing SSH scans?



Hi!

I've also encountered these scans twice a day from different IPs.
Remarkable is that these scans alle originate from different Asian
countries 
(mostly.jp && .kr).

Is this something new, or just people looking for badly configured

machines?

I can't think of an sshd configured that badly, but who knows...

Stefan
 
-----Original Message-----
Von: Matthew Dharm [mailto:mdharm () one-eyed-alien net] 
Gesendet: Dienstag, 27. Juli 2004 19:00
An: incidents () securityfocus com
Betreff: Anyone else seeing SSH scans?

I've noticed that several *NIX machines I have running (all of which are
located in the same IP block) are periodically getting scanned via ssh
for the accounts 'test' and 'guest'.

The source IP varies with each scan.  But I'm getting about one of these
a day now.  Obviously, I don't have accounts with that name on my
systems, but still....

Is this something new, or just people looking for badly configured
machines?

Matt

-- 
Matthew Dharm                              Home:
mdharm () one-eyed-alien net 
Senior Software Designer, Momentum Computer

P:  Nine more messages in admin.policy.
M: I know, I'm typing as fast as I can!
                                        -- Pitr and Mike
User Friendly, 11/27/97

Current thread:

Anyone else seeing SSH scans? Matthew Dharm (Jul 27)
- Re: Anyone else seeing SSH scans? Charles Heselton (Jul 28)
- Re: Anyone else seeing SSH scans? Ed J. Aivazian (Jul 28)
- Re: Anyone else seeing SSH scans? Seth J. Blank (Jul 28)
- Re: Anyone else seeing SSH scans? Jon Lewis (Jul 29)
- <Possible follow-ups>
- Re: Anyone else seeing SSH scans? sk (Jul 28)
  - Re: Anyone else seeing SSH scans? Hossein Rafighi (Jul 29)
- RE: Anyone else seeing SSH scans? Andrew Kopp ( Tor ZEW ) (Jul 28)
- RE: Anyone else seeing SSH scans? R Michael Williams (Jul 29)
- RE: Anyone else seeing SSH scans? Ian Hayes (Jul 29)
- RE: Anyone else seeing SSH scans? GUSAIN, SUBODH (Jul 29)