Re: slowish ssh scan from 149.69.85.65

From: Andreas Östling (andreasoat_private)
Date: Wed Dec 05 2001 - 12:53:41 PST

  • Next message: Chris Eidem: "RE: Gone Worm" 

    > Russell Fulton wrote:
> Greetings All,
>
> starting on 4th Dec 2001 at 19:47 (UTC) we saw an unusual scan from
> 149.69.85.65 (owned by St. John Fisher College (NET-PSINET-B-69)) who
> have been notified -- no response yet.

Hello,

Same here.
Here is the beginning of the scan as seen by Argus.
Timestamps are UTC+1.

04 Dec 01 20:47:36 tcp 149.69.85.65.20  ->  x.x.93.38.22 s
04 Dec 01 20:47:36 tcp 149.69.85.65.20  ->  x.x.166.50.22 s
04 Dec 01 20:58:21 tcp 149.69.85.65.20  ->  x.x.173.212.22 s
04 Dec 01 21:08:12 tcp 149.69.85.65.20  ->  x.x.181.118.22 sR
04 Dec 01 21:08:12 tcp 149.69.85.65.20  ->  x.x.217.252.22 s
04 Dec 01 21:08:12 tcp 149.69.85.65.20  ->  x.x.144.240.22 s
04 Dec 01 21:19:11 tcp 149.69.85.65.20  ->  x.x.152.146.22 s
04 Dec 01 21:19:11 tcp 149.69.85.65.20  ->  x.x.189.24.22 s
04 Dec 01 21:31:05 tcp 149.69.85.65.20  ->  x.x.87.40.22 sR
04 Dec 01 21:31:05 tcp 149.69.85.65.20  ->  x.x.160.52.22 s
04 Dec 01 21:31:05 tcp 149.69.85.65.20  ->  x.x.196.186.22 s
04 Dec 01 21:42:04 tcp 149.69.85.65.20  ->  x.x.167.214.22 s
04 Dec 01 21:42:04 tcp 149.69.85.65.20  ->  x.x.94.202.22 s
04 Dec 01 22:00:43 tcp 149.69.85.65.20  ->  x.x.146.148.22 sSER
04 Dec 01 22:00:43 tcp 149.69.85.65.20  ->  x.x.183.26.22 s
04 Dec 01 22:11:33 tcp 149.69.85.65.20  ->  x.x.190.188.22 s
04 Dec 01 22:23:42 tcp 149.69.85.65.20  ->  x.x.198.94.22 s
04 Dec 01 22:33:52 tcp 149.69.85.65.20  ->  x.x.169.122.22 s
04 Dec 01 22:58:53 tcp 149.69.85.65.20  ->  x.x.148.56.22 sR
04 Dec 01 22:58:53 tcp 149.69.85.65.20  ->  x.x.184.190.22 s
04 Dec 01 23:12:09 tcp 149.69.85.65.20  ->  x.x.155.218.22 s
04 Dec 01 23:12:09 tcp 149.69.85.65.20  ->  x.x.192.96.22 s
04 Dec 01 23:22:09 tcp 149.69.85.65.20  ->  x.x.90.112.22 s
04 Dec 01 23:22:09 tcp 149.69.85.65.20  ->  x.x.163.124.22 s
04 Dec 01 23:22:09 tcp 149.69.85.65.20  ->  x.x.200.2.22 s
04 Dec 01 23:52:07 tcp 149.69.85.65.20  ->  x.x.178.192.22 s
05 Dec 01 00:03:28 tcp 149.69.85.65.20  ->  x.x.149.220.22 s
05 Dec 01 00:03:28 tcp 149.69.85.65.20  ->  x.x.186.98.22 s
...

And they kept on scanning us until today, 12:13:35.
Last entries in our log:

...
05 Dec 01 11:20:48 tcp 149.69.85.65.20  ->  x.x.87.58.22 sR
05 Dec 01 11:20:48 tcp 149.69.85.65.20  ->  x.x.196.204.22 sR
05 Dec 01 11:20:48 tcp 149.69.85.65.20  ->  x.x.160.70.22 s
05 Dec 01 11:32:28 tcp 149.69.85.65.20  ->  x.x.167.232.22 s
05 Dec 01 11:32:28 tcp 149.69.85.65.20  ->  x.x.94.220.22 s
05 Dec 01 11:48:21 tcp 149.69.85.65.20  ->  x.x.175.138.22 s
05 Dec 01 12:01:58 tcp 149.69.85.65.20  ->  x.x.183.44.22 sR
05 Dec 01 12:01:58 tcp 149.69.85.65.20  ->  x.x.146.166.22 sR
05 Dec 01 12:13:35 tcp 149.69.85.65.20  ->  x.x.190.206.22 s


Some hosts above are even in different class-A networks, so it seems like
they were scanning a large number of addresses.

/Andreas


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 13:21:10 PST