Security Incidents mailing list archives
Re: Voluminous SSHd scanning; possible worm activity?
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 10 Dec 2001 09:31:03 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- On Mon, 10 Dec 2001, Neil Dickey wrote:
I've been seeing a lot of SSHd scans of late.[ ... ]Has anyone else seen this sort of thing from their systems?Until a month or two ago we *never* saw scans to port 22. Now they are common, though I'm not seeing anything like the intensity you describe. In a week I might see as many as six, total, and that would be a heavy week for me.
Right now, the scans I'm seeing are coming in at around six in a day. Started four days ago.
Most of what I detect appear to be SYN scans. Has anyone done a honeypot study to find out what weaknesses are being exploited, or is it just the usual bug in SSH1?
Perhaps we should touch base with the HoneyNet crew and see what they've discovered? - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPBTjS7lDRyqRQ2a9AQHNPgQAlvrQgvUHEYYOfJeIfSj7mG4fKSfQjpaC eClyziq6jyziKpBecokq6jbSk9bP2K+ywZRf2oYXDDnU7ufnBjQuGIBxFNehu6VA 1//K57kbk5MCuquOnwZHAdf3VwLoOadW4CDdZffNIBwom9pXo+FzIHnZTLjfNK+g CVVlZJNbSN8= =cRfx -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Armando Ortiz (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Russell Fulton (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jacek Lipkowski (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
- Re: Voluminous SSHd scanning; possible worm activity? Clarissa Cook (Dec 17)
- <Possible follow-ups>
- Re: Voluminous SSHd scanning; possible worm activity? Neil Dickey (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Damien Miller (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Bertrand Lupart (Dec 12)
(Thread continues...)