Re: Pretty stealthy SSH scanning seen on the Internet.

From: Andreas Östling (andreasoat_private)
Date: Mon Sep 10 2001 - 03:55:58 PDT

Next message: Kent Engström: "Re: Pretty stealthy SSH scanning seen on the Internet."

Previous message: Dug Song: "Re: Pretty stealthy SSH scanning seen on the Internet."
In reply to: Erik Fichtner: "Pretty stealthy SSH scanning seen on the Internet."
Next in thread: Kent Engström: "Re: Pretty stealthy SSH scanning seen on the Internet."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 10 September 2001 03:15, Dug Song wrote:
> On Sun, Sep 09, 2001 at 02:40:36PM -0400, Erik Fichtner wrote:
> > Anyone else seen this, or have any further information?
>
> dollars to donuts it's just niels:
>
> 	http://www.monkey.org/~provos/scanssh/
>
> he'll be publishing his results soon at a conference near you...
>

199.171.27.50 (www10.gti.net) hit us with that SSH scan as well.
We also saw another, slightly different, SSH scan from 62.26.167.99 a few 
hours later (although going to networks in a different class-B).
We haven't seen any SSH sweeps for a long time, and perhaps the two were 
related. Maybe people at a conference not very near us will soon find out.

Timestamps are UTC+2.

Sep  8 21:45:29 199.171.27.50:22 -> x.x.85.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.86.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.87.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.88.1:22 SYN ******S*
Sep  8 21:45:29 199.171.27.50:22 -> x.x.89.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.90.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.91.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.92.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.93.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.94.1:22 SYN ******S*
Sep  8 21:45:30 199.171.27.50:22 -> x.x.95.1:22 SYN ******S*
...

Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.1:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.2:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.3:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.4:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.5:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.6:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.7:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.8:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.9:22 SYN ******S*
Sep  9 16:07:33 62.26.167.99:22 -> y.y.6.10:22 SYN ******S*
...


Regards,
Andreas Östling

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kent Engström: "Re: Pretty stealthy SSH scanning seen on the Internet."
Previous message: Dug Song: "Re: Pretty stealthy SSH scanning seen on the Internet."
In reply to: Erik Fichtner: "Pretty stealthy SSH scanning seen on the Internet."
Next in thread: Kent Engström: "Re: Pretty stealthy SSH scanning seen on the Internet."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:27:31 PDT