slowish ssh scan from 149.69.85.65

From: Russell Fulton (r.fultonat_private)
Date: Tue Dec 04 2001 - 18:19:58 PST

  • Next message: Russell Fulton: "Re: Attacks against SSH?" 

    Greetings All,

starting on 4th Dec 2001 at 19:47 (UTC) we saw an unusual scan from 
149.69.85.65 (owned by St. John Fisher College (NET-PSINET-B-69)) who 
have been notified -- no response yet.

times are UTC:

Here are argus logs from the start of the scan:

04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->    130.216.246.76.22    S_
04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->   130.216.209.198.22    S_
04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->   130.216.136.186.22    S_
04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->    130.216.100.52.22    S_
04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->    130.216.63.174.22    S_
04 Dec 01 19:58:21    tcp    149.69.85.65.20     ->   130.216.217.104.22    S_
04 Dec 01 19:58:21    tcp    149.69.85.65.20     ->   130.216.253.238.22    S_
04 Dec 01 19:58:21    tcp    149.69.85.65.20     ->    130.216.144.92.22    S_
04 Dec 01 19:58:21    tcp    149.69.85.65.20     ->   130.216.107.214.22    S_
04 Dec 01 19:58:21    tcp    149.69.85.65.20     ->     130.216.71.80.22    S_
04 Dec 01 19:58:21    tcp    149.69.85.65.20     ->    130.216.34.202.22    S_
-An -Zb host 149.69.85.65 /home/argus/data/2001.12.05/argus-2001.12.05.09.00.gz 
04 Dec 01 20:19:11    tcp    149.69.85.65.20     ->   130.216.232.172.22    S_
04 Dec 01 20:19:11    tcp    149.69.85.65.20     ->    130.216.196.38.22    S_
04 Dec 01 20:19:11    tcp    149.69.85.65.20     ->    130.216.123.26.22    S_
04 Dec 01 20:19:11    tcp    149.69.85.65.20     ->    130.216.86.148.22    S_
04 Dec 01 20:19:11    tcp    149.69.85.65.20     ->     130.216.50.14.22    S_
04 Dec 01 20:31:05    tcp    149.69.85.65.20     ->   130.216.203.200.22    S_
04 Dec 01 20:31:05    tcp    149.69.85.65.20     ->    130.216.240.78.22    S_
04 Dec 01 20:31:05    tcp    149.69.85.65.20     ->   130.216.130.188.22    S_
04 Dec 01 20:31:05    tcp    149.69.85.65.20     ->    130.216.57.176.22    S_
04 Dec 01 20:31:05    tcp    149.69.85.65.20     ->     130.216.21.42.22    S_
04 Dec 01 20:42:04    tcp    149.69.85.65.20     ->   130.216.211.106.22    S_
04 Dec 01 20:42:04    tcp    149.69.85.65.20     ->   130.216.174.228.22    S_
04 Dec 01 20:42:04    tcp    149.69.85.65.20     ->    130.216.138.94.22    S_
04 Dec 01 20:42:04    tcp    149.69.85.65.20     ->   130.216.101.216.22    S_

Note source port is always 20 and the probes come in bursts of 5 with
destination addresses appearently random.

The scans continued until I blocked access to this address on our router.

The only one host probed was actually running ssh and this host had the
banner retrieved.

time UTC +1300
05 Dec 01 11:52:07   *       tcp    149.69.85.65.20     ->   130.216.185.206.22    6        4         0            48          SRA_SPA

This host is not running a vulnerable ssh daemon and no other traffic 
followed.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 21:05:31 PST