Re: Anyone else seeing SSH scans?

[Jon Lewis <jlewis () lewis org>]

On Tue, 27 Jul 2004, Matthew Dharm wrote:

> I've noticed that several *NIX machines I have running (all of which are
> located in the same IP block) are periodically getting scanned via ssh for
> the accounts 'test' and 'guest'.
>
> The source IP varies with each scan.  But I'm getting about one of these a
> day now.  Obviously, I don't have accounts with that name on my systems,
> but still....

I just had a look through the logs on one of my boxes and though I don't
allow incoming ssh without jumping through additional hoops, I do see that
something is sequentially scanning IP space for sshds.  This box has two
subnets routed to/through it and those are separated by several dozen
/24's worth of IP space.

In most of the scans, I'm seeing all IPs in the lower subnet hit
simultaneously (all within the same second) followed by the IPs in the
higher subnet simultaneously hit 5s to nearly a minute later.

The source IPs are all over the world (US, China, Korea, Austria to name a
few) and most are running various versions of openssh.  A few are
currently unreachable.

Has anyone successfully contacted any of the admins responsible for the
scanning boxes to try to find out what's behind this?

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________