The reason for all the scans on port 22 are not worms, it's the whole scriptkiddie world that is scanning your ports for SSH versions: 1.2.27 1.2.28 1.2.29 1.2.30 1.2.3 1.2.31 2.1.1 2.2.0p1 This are the versions that can be attacked by Scut@TESO's SSH exploit. Since a few weeks orso, this exploit had reached the scriptkiddie world. Also the 'X2' exploit that is fewer seen but more effective is beginning to enter here. Also SSH versions 2.0.x and 2.9.2 have not yet published exploit around. It's like the time where the wuftpd deamon versions 2.4.0 2.5.0 and 2.6.0 first had it's public exploit. Anyway, i suggest you patch ssh to > 3.0.1(this has a local exploit). Or use a telnetd > 0.17. Sincerely, Joep Gommers On Mon, 10 Dec 2001, Neil Dickey wrote: > > I've been seeing a lot of SSHd scans of late. > [ ... ] > > Has anyone else seen this sort of thing from their systems? > > Until a month or two ago we *never* saw scans to port 22. Now they are > common, though I'm not seeing anything like the intensity you describe. > In a week I might see as many as six, total, and that would be a heavy > week for me. Right now, the scans I'm seeing are coming in at around six in a day. Started four days ago. > Most of what I detect appear to be SYN scans. Has anyone done a > honeypot study to find out what weaknesses are being exploited, or is it > just the usual bug in SSH1? Perhaps we should touch base with the HoneyNet crew and see what they've discovered? - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPBTjS7lDRyqRQ2a9AQHNPgQAlvrQgvUHEYYOfJeIfSj7mG4fKSfQjpaC eClyziq6jyziKpBecokq6jbSk9bP2K+ywZRf2oYXDDnU7ufnBjQuGIBxFNehu6VA 1//K57kbk5MCuquOnwZHAdf3VwLoOadW4CDdZffNIBwom9pXo+FzIHnZTLjfNK+g CVVlZJNbSN8= =cRfx -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 10:12:42 PST