RE: Scans for SSHd via RIPE netblocks, anyone?

From: Fernando Cardoso (fernando.cardosoat_private)
Date: Mon Oct 22 2001 - 09:50:21 PDT

Next message: Sean Kelly: "RE: Scans for SSHd via RIPE netblocks, anyone?"

Previous message: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"
In reply to: Jay D. Dyson: "Scans for SSHd via RIPE netblocks, anyone?"
Next in thread: Sean Kelly: "RE: Scans for SSHd via RIPE netblocks, anyone?"
Reply: Sean Kelly: "RE: Scans for SSHd via RIPE netblocks, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Not only from this side of the Atlantic... I've seen a big increase in SSH
scans in the last couple weeks. Here's my last 4 scans:

- Philippines ISP (Linux kernel 2.4.x)
- Chinese Hospital (RedHat 6.2)
- Swedish web server (down at this time)
- NY based dns server (RedHat 7.0)

Compromised hosts? Maybe, but from what I could check, none of the
responding sites is using SSH except for one which has port 22 filtered.

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardosoat_private     http://www.whatevernet.com/



>
> Hi folks,
>
> 	No great shakes here, but I'm curious to know if anyone else is
> seeing concerted SSHd scans coming from RIPE netblocks lately.  I've noted
> a few here and, while I considered them oddities at first, I'm starting to
> wonder if someone (or something) across the Atlantic doesn't have the
> much-ballyhoo'd "0day for sale."
>
> 	I'm not bored enough to see what they're really up to (yet), so I
> figured I'd just toss this out for general consideration.
>
> 	Oh yeah, the latest scan came from 193.206.153.7.
>
>


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Sean Kelly: "RE: Scans for SSHd via RIPE netblocks, anyone?"
Previous message: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"
In reply to: Jay D. Dyson: "Scans for SSHd via RIPE netblocks, anyone?"
Next in thread: Sean Kelly: "RE: Scans for SSHd via RIPE netblocks, anyone?"
Reply: Sean Kelly: "RE: Scans for SSHd via RIPE netblocks, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 14:35:57 PDT