On Thursday (Oct 4), we have detected four sweeps, looking for open TCP port 22 (ssh): Approx. time Source IP Source FQDN 07:05 GMT 162.105.195.118 skltr.mech.pku.edu.cn 12:33 GMT 64.124.36.229 (none) 21:01 GMT 134.100.226.18 mtgp8.zmaw.de 21:41 GMT 131.152.102.64 xunil1.physik.unibas.ch The traits of all those sweeps were very similar: - the source port of all probes was 22 - all probes within one sweep had the same IP ID (*) - lost/filtered probes were not retried - the sweeps were pretty fast, hundreds of addresses in few seconds - no actual i/o was done (*) With 1 exception that had a TTL different from other logged probes in the sweep as well. Is there any kind of SSH worm out there?! --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 11:27:26 PDT