RE: port 22->port 22 scans

From: Dean Cunningham (Dean.Cunninghamat_private)
Date: Sun Oct 07 2001 - 13:18:43 PDT

Next message: Ray: "repeated zone transfer denied"

Previous message: Steven S: "Re: port 22 scans + 53 scans"
Maybe in reply to: Pavel Kankovsky: "port 22->port 22 scans"
Next in thread: Pavel Kankovsky: "Re: port 22->port 22 scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ones I have,

4 Oct 2001 04:29	GMT	211.185.206.2 (no res DNS but a school in
Korea) full site scan
3 Oct 2001 18:49	GMT	195.4.172.21 (no DNS res but
whois=pppool.de) partial site scan

pattern as you described 50ips/sec

Another interesting pattern is the number of sites that are doing single
pings and then a single ssh probe. 

cw.net
exodus.net
gblx.net

apeeras to be some web optimising code as the targets are my internal DNS
servers.

regards
Dean

-----Original Message-----
From: Pavel Kankovsky [mailto:peakat_private]
Sent: Saturday, 6 October 2001 12:09 p.m.
To: incidentsat_private
Subject: port 22->port 22 scans


On Thursday (Oct 4), we have detected four sweeps, looking for open
TCP port 22 (ssh):

   Approx. time   Source IP           Source FQDN
   07:05 GMT      162.105.195.118     skltr.mech.pku.edu.cn
   12:33 GMT      64.124.36.229       (none)
   21:01 GMT      134.100.226.18      mtgp8.zmaw.de
   21:41 GMT      131.152.102.64      xunil1.physik.unibas.ch

The traits of all those sweeps were very similar:

- the source port of all probes was 22
- all probes within one sweep had the same IP ID (*)
- lost/filtered probes were not retried
- the sweeps were pretty fast, hundreds of addresses in few seconds
- no actual i/o was done

(*) With 1 exception that had a TTL different from other logged probes
in the sweep as well.

Is there any kind of SSH worm out there?!

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ray: "repeated zone transfer denied"
Previous message: Steven S: "Re: port 22 scans + 53 scans"
Maybe in reply to: Pavel Kankovsky: "port 22->port 22 scans"
Next in thread: Pavel Kankovsky: "Re: port 22->port 22 scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:56:26 PDT