Security Incidents mailing list archives

Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Thu, 27 Dec 2001 11:33:21 -0500 (EST)

On Sun, 23 Dec 2001, Matthew D. Close wrote:

There seem to be two types of scanning going on, one that looks like
scanssh.  Then another that's a SYN scan, with a normal reconnect to
port 22 if the first scan found anything open.


scanssh -p will do that, maybe that is what is going on:

     -p ifaddr
             Specifies the address of the local interface.  This is used to
             speed up the scanning by pre-probing the addresses with TCP-SYN
             packets.

makes a massive performance enhancement.


____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog Steffen Dettmer (Dec 23)
- Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog Sebastian Jaenicke (Dec 24)
- Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog Matthew D. Close (Dec 24)
  - Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog Jose Nazario (Dec 28)