Re: port 22->port 22 scans

From: Pavel Kankovsky (peakat_private)
Date: Sat Oct 13 2001 - 14:12:03 PDT

  • Next message: Jay D. Dyson: "Re: Who's liable?"

    On Sat, 6 Oct 2001, spaceork wrote:
    > This appears to be the work of the synscan tool. Did the common IP IDs
    > happen to have a value of 39426? 
    No. Probes from two different sweeps had different IP IDs.
    But was 39426 during the first sweep (from
    On Sun, 7 Oct 2001, Gushterul wrote:
    > because of exploit of ssh made in zip/teso i guess :)
    An exploit of the old bug in deattack.c?
    On Mon, 8 Oct 2001 RWilkieat_private wrote:
    > Looks like it is just doing the
    > rounds again. I've been picking up a fair few SSHD probes from kiddies
    > around the place.
    I am not sure. That program appears to use a random source port and does
    not set fixed (nonzero) IP ID for all probes it sends. Moreover, scanssh
    establishes real TCP connection to hosts where open port 22/tcp has been
    found, but I did not experience anything like that.
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft-- ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Sat Oct 13 2001 - 14:21:38 PDT