Recently we have observed a fast scan for the SSH service from a single host to our complete Class B address range. The owner of the host is notified and they are investigating the situation. Since this is the first time I have encountered such a scan, I wanted to share the details: The complete class B address space was scanned very rapidly first by a SYN-FIN scan, followed by a TCP-Connect scan to the ports found open. The second connection was almost immediate, suggesting a single tool doing both scans. The host appears to run linux (from passive OS fingerprint) and the host was both a dns server and mail exchanger for its domain. Log information from a single host is below, Times are in EET (GMT+0200) * Packet logs (src and dest. address obfuscated). First line is the SYN-FIN scan src port 22 and SF flags imply root access to the machine. Second line is the probe. Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 27, id 39426) Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 <mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236) * SSH log of the same machine: Shows that the second probe was a real connection (not a SYN scan). It is probably used to collect version information from the server. I believe it is NOT scanssh since scanssh does send a version string. Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from 209.26.178.170. It looks like a custom tool looking for vulnerable sshd versions. Has anyone encountered something similiar? Can ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 08:20:21 PDT