Re: Voluminous SSHd scanning; possible worm activity?

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 10 Dec 2001, Neil Dickey wrote:

> >     I've been seeing a lot of SSHd scans of late.
> [ ... ]
> >     Has anyone else seen this sort of thing from their systems?
>
> Until a month or two ago we *never* saw scans to port 22.  Now they are
> common, though I'm not seeing anything like the intensity you describe. 
> In a week I might see as many as six, total, and that would be a heavy
> week for me. 

        Right now, the scans I'm seeing are coming in at around six in a
day.  Started four days ago.

> Most of what I detect appear to be SYN scans.  Has anyone done a
> honeypot study to find out what weaknesses are being exploited, or is it
> just the usual bug in SSH1? 

        Perhaps we should touch base with the HoneyNet crew and see what
they've discovered?

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPBTjS7lDRyqRQ2a9AQHNPgQAlvrQgvUHEYYOfJeIfSj7mG4fKSfQjpaC
eClyziq6jyziKpBecokq6jbSk9bP2K+ywZRf2oYXDDnU7ufnBjQuGIBxFNehu6VA
1//K57kbk5MCuquOnwZHAdf3VwLoOadW4CDdZffNIBwom9pXo+FzIHnZTLjfNK+g
CVVlZJNbSN8=
=cRfx
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com