Ones I have, 4 Oct 2001 04:29 GMT 211.185.206.2 (no res DNS but a school in Korea) full site scan 3 Oct 2001 18:49 GMT 195.4.172.21 (no DNS res but whois=pppool.de) partial site scan pattern as you described 50ips/sec Another interesting pattern is the number of sites that are doing single pings and then a single ssh probe. cw.net exodus.net gblx.net apeeras to be some web optimising code as the targets are my internal DNS servers. regards Dean -----Original Message----- From: Pavel Kankovsky [mailto:peakat_private] Sent: Saturday, 6 October 2001 12:09 p.m. To: incidentsat_private Subject: port 22->port 22 scans On Thursday (Oct 4), we have detected four sweeps, looking for open TCP port 22 (ssh): Approx. time Source IP Source FQDN 07:05 GMT 162.105.195.118 skltr.mech.pku.edu.cn 12:33 GMT 64.124.36.229 (none) 21:01 GMT 134.100.226.18 mtgp8.zmaw.de 21:41 GMT 131.152.102.64 xunil1.physik.unibas.ch The traits of all those sweeps were very similar: - the source port of all probes was 22 - all probes within one sweep had the same IP ID (*) - lost/filtered probes were not retried - the sweeps were pretty fast, hundreds of addresses in few seconds - no actual i/o was done (*) With 1 exception that had a TTL different from other logged probes in the sweep as well. Is there any kind of SSH worm out there?! --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:56:26 PDT