Re: slowish ssh scan from 149.69.85.65

From: Glenn Forbes Fleming Larratt (glrattat_private)
Date: Wed Dec 05 2001 - 09:52:35 PST

  • Next message: Andrew Blevins: "Gone Worm" 

    On Wed, 5 Dec 2001, Russell Fulton wrote:

> Greetings All,
>
> starting on 4th Dec 2001 at 19:47 (UTC) we saw an unusual scan from
> 149.69.85.65 (owned by St. John Fisher College (NET-PSINET-B-69)) who
> have been notified -- no response yet.
>
> times are UTC:
>
> Here are argus logs from the start of the scan:
>
> 04 Dec 01 19:47:36    tcp    149.69.85.65.20     ->    130.216.246.76.22    S_

Us, too (i.e. noted and blocked) (timestamps in CST [6hr west of UTC]):

[4 Dec ...]
18:49:26.223817 149.69.85.65.20 > MY.NET.10.38.22: S 2168502234:2168502234(0) win 16383 (DF)
18:49:26.224625 149.69.85.65.20 > MY.NET.46.172.22: S 1105269703:1105269703(0) win 16383 (DF)
18:49:26.227256 149.69.85.65.20 > MY.NET.83.50.22: S 1657904554:1657904554(0) win 16383 (DF)
19:37:53.536652 149.69.85.65.20 > MY.NET.186.198.22: S 3121786201:3121786201(0) win 16383 (DF)
19:37:53.536980 149.69.85.65.20 > MY.NET.223.76.22: S 2535195653:2535195653(0) win 16383 (DF)
20:23:45.174780 149.69.85.65.20 > MY.NET.253.212.22: S 2148637354:2148637354(0) win 16383 (DF)
22:11:58.666148 149.69.85.65.20 > MY.NET.132.70.22: S 2788760079:2788760079(0) win 16383 (DF)
	:
	:
	:
[5 Dec ...]
04:09:35.725747 149.69.85.65.20 > MY.NET.24.234.22: S 2517150545:2517150545(0) win 16383 (DF)
04:09:35.727293 149.69.85.65.20 > MY.NET.61.112.22: S 1628242169:1628242169(0) win 16383 (DF)
04:09:35.727798 149.69.85.65.20 > MY.NET.97.246.22: S 2442363253:2442363253(0) win 16383 (DF)
04:09:35.728948 149.69.85.65.20 > MY.NET.134.124.22: S 1516061231:1516061231(0) win 16383 (DF)
04:09:35.729401 149.69.85.65.20 > MY.NET.171.2.22: S 2274091846:2274091846(0) win 16383 (DF)
04:09:35.729733 149.69.85.65.20 > MY.NET.207.136.22: S 1263654121:1263654121(0) win 16383 (DF)
05:01:53.515893 149.69.85.65.20 > MY.NET.91.248.22: S 1300803353:1300803353(0) win 16383 (DF)
05:12:50.074005 149.69.85.65.20 > MY.NET.26.142.22: S 1540461245:1540461245(0) win 16383 (DF)
05:12:50.074471 149.69.85.65.20 > MY.NET.63.20.22: S 2310691867:2310691867(0) win 16383 (DF)
05:12:50.074602 149.69.85.65.20 > MY.NET.63.20.22: S 2310691867:2310691867(0) win 16383 (DF)
05:12:50.075101 149.69.85.65.20 > MY.NET.99.154.22: S 1318554152:1318554152(0) win 16383 (DF)
05:25:35.554361 149.69.85.65.20 > MY.NET.34.48.22: S 2277649205:2277649205(0) win 16383 (DF)
05:25:35.554696 149.69.85.65.20 > MY.NET.70.182.22: S 1268990159:1268990159(0) win 16383 (DF)
05:25:35.555322 149.69.85.65.20 > MY.NET.107.60.22: S 1903485238:1903485238(0) win 16383 (DF)
05:25:35.555674 149.69.85.65.20 > MY.NET.143.194.22: S 2855227857:2855227857(0) win 16383 (DF)
05:25:35.556002 149.69.85.65.20 > MY.NET.180.72.22: S 2135358137:2135358137(0) win 16383 (DF)



-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glrattat_private                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 11:39:07 PST