On Thu, Jun 13, 2002 at 04:23:34PM -0500, mat_private wrote: > Speaking of which, has else anyone noticed an upturn in > ssh scanning lately? Not especially: grappa:/var/log# grep -v '@.*:.* p ' ipmon | grep ssh | wc -l 3 grappa:/var/log# zcat ipmon.0.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 1 grappa:/var/log# zcat ipmon.1.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 3 These are all hits on the IP address I IRC from (also the NAT'ed address for other DHCP'ed machines in my internal network, but there weren't any of those turned on in the span of time covered by those logs). Sources: 148.208.229.1 at Jun 14 04:14:21, 04:17:09, and 04:21:09, all from source port 1106 66.122.116.3 at Jun 13 04:18:22, source port 22 (curious) 210.179.223.220 at Jun 11 04:08:08, source port 22 again 68.40.135.83 at Jun 11 07:55:07 and 07:55:10, source port 22 None of these are scanssh; it uses a high source port even as root. With the exception of 210.179.223.220, these are US DSL/cable customers. The standout is Korean. Nothing shocking. uriel:/var/log# grep -v '@.*:.* p ' ipmon | grep ssh | wc -l 0 uriel:/var/log# zcat ipmon.0.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 0 uriel:/var/log# zcat ipmon.1.gz | grep -v '@.*:.* p ' | grep ssh | wc -l 1 The one hit there is from 66.122.116.3 too and happened nine seconds later than the one above. So a PacBell DSL customer was scanning Speakeasy (I am one in 66.92.234/24) customers. Whoop-de-doo. -- gabriel rosenkoetter grat_private
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 12:25:58 PDT