Re: port 22->port 22 scans

From: Pavel Kankovsky (peakat_private)
Date: Sat Oct 13 2001 - 14:12:03 PDT

  • Next message: Jay D. Dyson: "Re: Who's liable?"

    On Sat, 6 Oct 2001, spaceork wrote:
    
    > This appears to be the work of the synscan tool. Did the common IP IDs
    > happen to have a value of 39426? 
    
    No. Probes from two different sweeps had different IP IDs.
    But wait...it was 39426 during the first sweep (from 162.105.195.118).
    
    
    On Sun, 7 Oct 2001, Gushterul wrote:
    
    > because of exploit of ssh made in zip/teso i guess :)
    
    An exploit of the old bug in deattack.c?
    
    
    On Mon, 8 Oct 2001 RWilkieat_private wrote:
    
    > Looks like it is just http://www.monkey.org/~provos/scanssh/ doing the
    > rounds again. I've been picking up a fair few SSHD probes from kiddies
    > around the place.
    
    I am not sure. That program appears to use a random source port and does
    not set fixed (nonzero) IP ID for all probes it sends. Moreover, scanssh
    establishes real TCP connection to hosts where open port 22/tcp has been
    found, but I did not experience anything like that.
    
    
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Oct 13 2001 - 14:21:38 PDT