port 22->port 22 scans

From: Pavel Kankovsky (peakat_private)
Date: Fri Oct 05 2001 - 17:08:49 PDT

  • Next message: spaceork: "Re: port 22->port 22 scans"

    On Thursday (Oct 4), we have detected four sweeps, looking for open
    TCP port 22 (ssh):
       Approx. time   Source IP           Source FQDN
       07:05 GMT     skltr.mech.pku.edu.cn
       12:33 GMT       (none)
       21:01 GMT      mtgp8.zmaw.de
       21:41 GMT      xunil1.physik.unibas.ch
    The traits of all those sweeps were very similar:
    - the source port of all probes was 22
    - all probes within one sweep had the same IP ID (*)
    - lost/filtered probes were not retried
    - the sweeps were pretty fast, hundreds of addresses in few seconds
    - no actual i/o was done
    (*) With 1 exception that had a TTL different from other logged probes
    in the sweep as well.
    Is there any kind of SSH worm out there?!
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 11:27:26 PDT