We saw, on 9 December between 1327 and 1340 UTC, simultaneous ssh scans from: #hts sourceIP 339 207.218.213.222 270 64.114.104.12 234 63.10.45.88 213 211.233.132.35 212 216.209.168.65 190 216.195.10.27 185 213.189.160.210 177 64.180.201.203 171 24.201.41.23 159 66.168.57.102 147 202.161.118.230 144 65.93.74.201 143 24.201.94.113 141 24.77.75.155 138 65.94.8.16 135 24.250.74.60 132 64.118.40.136 130 216.78.37.190 126 203.218.49.193 105 147.26.198.185 100 209.197.185.2 94 216.78.32.21 . They began and ended very abruptly at the times noted above, and came from mostly North America (9 from 4 different Canadian provinces, and 9 from 7 different US states), but also from .kr, .be, .au and .hk . In every case that I could determine, it appeared to be the usual suspects - home broadband networks. I suspect either a worm or a coordinated zombie attack. -g On Sun, 9 Dec 2001, Jay D. Dyson wrote: > Hi folks, > > I've been seeing a lot of SSHd scans of late. That in itself > isn't odd, but the sheer volume of the scans is what's got my attention. > These sorts of scans used to occur infrequently, but now they're coming > within minutes of each other, and they're coming from all over the globe. > > It's not in my nature to speculate wildly, but the sheer volume of > these scans, coupled with the variety of their origins (not to mention the > timing) leads me to wonder if a worm isn't at play here. > > Has anyone else seen this sort of thing from their systems? > > - -Jay -- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glrattat_private http://www.io.com/~glratt There are imaginary bugs to chase in heaven. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 16 2001 - 15:56:32 PST