port 22->port 22 scans

From: Pavel Kankovsky (peakat_private)
Date: Fri Oct 05 2001 - 17:08:49 PDT

  • Next message: spaceork: "Re: port 22->port 22 scans"

    On Thursday (Oct 4), we have detected four sweeps, looking for open
    TCP port 22 (ssh):
    
       Approx. time   Source IP           Source FQDN
       07:05 GMT      162.105.195.118     skltr.mech.pku.edu.cn
       12:33 GMT      64.124.36.229       (none)
       21:01 GMT      134.100.226.18      mtgp8.zmaw.de
       21:41 GMT      131.152.102.64      xunil1.physik.unibas.ch
    
    The traits of all those sweeps were very similar:
    
    - the source port of all probes was 22
    - all probes within one sweep had the same IP ID (*)
    - lost/filtered probes were not retried
    - the sweeps were pretty fast, hundreds of addresses in few seconds
    - no actual i/o was done
    
    (*) With 1 exception that had a TTL different from other logged probes
    in the sweep as well.
    
    Is there any kind of SSH worm out there?!
    
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 11:27:26 PDT