fast ssh scans

From: Can Erkin Acar (canacarat_private)
Date: Thu Oct 18 2001 - 00:40:33 PDT

  • Next message: Daniel Martin: "Re: fast ssh scans"

    Recently we have observed a fast scan for the SSH service from a single
    host to our complete Class B address range. The owner of the host is
    notified and they are investigating the situation. Since this is the
    first time I have encountered such a scan, I wanted to share the details:
    
    The complete class B address space was scanned very rapidly first by a
    SYN-FIN scan, followed by a TCP-Connect scan to the ports found open.
    The second connection was almost immediate, suggesting a single tool
    doing both scans.
    
    The host appears to run linux (from passive OS fingerprint)
    and the host was both a dns server and mail exchanger for its domain.
    
    Log information from a single host is below, Times are in EET (GMT+0200)
    
    * Packet logs (src and dest. address obfuscated).
      First line is the SYN-FIN scan src port 22 and SF flags imply root access
      to the machine. Second line is the probe.
    
    Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 27, id 39426)
    Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 <mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236)
    
    * SSH log of the same machine: Shows that the second probe was a real
      connection (not a SYN scan). It is probably used to collect version
      information from the server. I believe it is NOT scanssh since scanssh
      does send a version string.
    
    Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from 209.26.178.170.
    
    
    It looks like a custom tool looking for vulnerable sshd versions.
    Has anyone encountered something similiar?
    
    
    Can
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 08:20:21 PDT