Re: Voluminous SSHd scanning; possible worm activity?

[Neil Dickey <neil () geol niu edu>]

"Jay D. Dyson" <jdyson () treachery net>

Please forgive me for replying to you *and* the list, but I wanted to
make sure you got to see what I wrote.

>       I've been seeing a lot of SSHd scans of late.
[ ... ]
>       Has anyone else seen this sort of thing from their systems?

Until a month or two ago we *never* saw scans to port 22.  Now they
are common, though I'm not seeing anything like the intensity you
describe.  In a week I might see as many as six, total, and that
would be a heavy week for me.

Most of what I detect appear to be SYN scans.  Has anyone done a
honeypot study to find out what weaknesses are being exploited, or
is it just the usual bug in SSH1?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com