fast ssh scans

From: Can Erkin Acar (canacarat_private)
Date: Thu Oct 18 2001 - 00:40:33 PDT

  • Next message: Daniel Martin: "Re: fast ssh scans"

    Recently we have observed a fast scan for the SSH service from a single
    host to our complete Class B address range. The owner of the host is
    notified and they are investigating the situation. Since this is the
    first time I have encountered such a scan, I wanted to share the details:
    The complete class B address space was scanned very rapidly first by a
    SYN-FIN scan, followed by a TCP-Connect scan to the ports found open.
    The second connection was almost immediate, suggesting a single tool
    doing both scans.
    The host appears to run linux (from passive OS fingerprint)
    and the host was both a dns server and mail exchanger for its domain.
    Log information from a single host is below, Times are in EET (GMT+0200)
    * Packet logs (src and dest. address obfuscated).
      First line is the SYN-FIN scan src port 22 and SF flags imply root access
      to the machine. Second line is the probe.
    Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 27, id 39426)
    Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 <mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236)
    * SSH log of the same machine: Shows that the second probe was a real
      connection (not a SYN scan). It is probably used to collect version
      information from the server. I believe it is NOT scanssh since scanssh
      does send a version string.
    Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from
    It looks like a custom tool looking for vulnerable sshd versions.
    Has anyone encountered something similiar?
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 08:20:21 PDT