On Sat, 6 Oct 2001, spaceork wrote: > This appears to be the work of the synscan tool. Did the common IP IDs > happen to have a value of 39426? No. Probes from two different sweeps had different IP IDs. But wait...it was 39426 during the first sweep (from 162.105.195.118). On Sun, 7 Oct 2001, Gushterul wrote: > because of exploit of ssh made in zip/teso i guess :) An exploit of the old bug in deattack.c? On Mon, 8 Oct 2001 RWilkieat_private wrote: > Looks like it is just http://www.monkey.org/~provos/scanssh/ doing the > rounds again. I've been picking up a fair few SSHD probes from kiddies > around the place. I am not sure. That program appears to use a random source port and does not set fixed (nonzero) IP ID for all probes it sends. Moreover, scanssh establishes real TCP connection to hosts where open port 22/tcp has been found, but I did not experience anything like that. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 13 2001 - 14:21:38 PDT