On Sun, 9 Dec 2001, Jay D. Dyson wrote: > I've been seeing a lot of SSHd scans of late. That in itself > isn't odd, but the sheer volume of the scans is what's got my attention. [...] > Has anyone else seen this sort of thing from their systems? yes, there is a big increase in scans for ssh, ftp, and lpd, at least on the networks that i monitor. there also seems to be some automated tool that scans with source port=dest. port and some other hardcoded values: Dec 10 16:32:24 wall kernel: FORWARD: IN=eth0 OUT=eth1 SRC=61.129.67.43 DST=my.little.net.19 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=20224 PROTO=TCP SPT=22 DPT=22 WINDOW=33666 RES=0x00 SYN URGP=0 Dec 10 16:32:24 wall kernel: FORWARD: IN=eth0 OUT=eth1 SRC=61.129.67.43 DST=my.little.net.15 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=20224 PROTO=TCP SPT=22 DPT=22 WINDOW=33666 RES=0x00 SYN URGP=0 [...] also rpc scans, which have been relatively quiet for a while Dec 7 11:22:10 195.20.70.241:111 -> my.net.1:111 SYNFIN ******SF Dec 7 11:22:10 195.20.70.241:111 -> my.net.4:111 SYNFIN ******SF Dec 7 11:22:11 195.20.70.241:111 -> my.net.3:111 SYNFIN ******SF seems that christmas is coming and the kids have more time merry christmas :) jacek ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 09:57:08 PST