Security Incidents mailing list archives

RE: Attacks against SSH?

From: "CHURCH,GENO (Non-HP-USA,ex1)" <walter_church () non hp com>
Date: Tue, 4 Dec 2001 06:37:38 -0800

Here are the associated companies that belong to the IP's. You could contact
them and find out why they are probing. Hope this helps.

Nov 29 20:52:34 204.89.181.4


Exchange Network Services, Inc. (NET-NET-EN)
   25931 Euclid Ave. #145
   Euclid, OH 44132
   US

   Netname: NET-EN
   Netblock: 204.89.181.0 - 204.89.181.255

   Coordinator:
      Master, Host  (HM283-ARIN)  HostMaster () Voyager net
      (517)324-8940

   Domain System inverse mapping provided by:

   E0.NS.VOYAGER.NET            169.207.2.72
   E1.NS.VOYAGER.NET            207.89.128.13
   E2.NS.VOYAGER.NET            207.0.229.252

   Record last updated on 01-Nov-2000.
   Database last updated on  3-Dec-2001 19:56:03 EDT.


-------------------------

130.88.1.135


University of Manchester (NET-MANNET)
   Manchester
   GB

   Netname: MANLAN
   Netblock: 130.88.0.0 - 130.88.255.255

   Coordinator:
      Myers, Patrick  (PM115-ARIN)  myers () mcc ac uk
      +44 61 275 6016

   Domain System inverse mapping provided by:

   DIR.MCC.AC.UK                130.88.200.4
   URSA.CNS.UMIST.AC.UK         130.88.210.1
   UTSERV.MCC.AC.UK             130.88.200.6

   Record last updated on 26-Oct-1993.
   Database last updated on  3-Dec-2001 19:56:03 EDT.
--------------------------------

200.176.47.199


Comite Gestor da Internet no Brasil (NETBLK-BRAZIL-BLK2)
   R. Pio XI, 1500
   Sao Paulo, SP 05468-901
   BR

   Netname: BRAZIL-BLK2
   Netblock: 200.128.0.0 - 200.255.255.255
   Maintainer: BR

   Coordinator:
      Registro.br  (NF-ORG-ARIN)  blkadm () nic br
      +55 19 9119-0304

   Domain System inverse mapping provided by:

   NS.DNS.BR                    143.108.23.2
   NS1.DNS.BR                   200.255.253.234
   NS2.DNS.BR                   200.19.119.99

   These addresses have been further assigned to Brazilian users.
   Contact information can be found at the WHOIS server located
   at whois.registro.br and at http://whois.nic.br

   Record last updated on 30-Aug-2001.
   Database last updated on  3-Dec-2001 19:56:03 EDT.
-----------------------------


64.45.60.239


NETlimited (NETBLK-NETLIMITED-3)
   3250 Wilshire Blvd #707
   Los Angeles, CA 90010
   US

   Netname: NETLIMITED-3
   Netblock: 64.45.0.0 - 64.45.63.255
   Maintainer: NELI

   Coordinator:
      Webmaster, NETLimited  (LE242-ARIN)  domainreg () NETLIMITED NET
      +1-213-252-9779 (FAX) +1-213-368-2341

   Domain System inverse mapping provided by:

   DNS1.NETSERVERS.NET          209.196.128.21
   DNS2.NETSERVERS.NET          209.196.128.22

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 06-Jun-2001.
   Database last updated on  3-Dec-2001 19:56:03 EDT.
-----------------------

62.2.203.210


inetnum:      62.2.200.0 - 62.2.212.255
netname:      CABLECOM-MAIN-NET
descr:        Cablecom GmbH
descr:        Zuerich
country:      CH
remarks:      ************************************************************
remarks:      For spam/abuse, please contact abuse () cablecom ch
remarks:      ************************************************************
admin-c:      WM5132-RIPE
admin-c:      WM5132-RIPE
tech-c:       CAN6-RIPE
tech-c:       CAN6-RIPE
status:       ASSIGNED PA
notify:       lir-mnt () cablecom ch
mnt-by:       AS8404-MNT
changed:      wilson.mehringer () cablecom ch 20011018
changed:      wilson.mehringer () cablecom ch 20011022
source:       RIPE



Geno

-----Original Message-----
From: Steven S [mailto:stevensl () corp earthlink net]
Sent: Monday, December 03, 2001 3:07 PM
To: incidents () securityfocus com
Subject: Re: Attacks against SSH?



I've seen to following ip's try connecting to my home box. My fw drops the
connection attempts.

Nov 29 20:52:34 204.89.181.4
Nov 30 20:19:59 130.88.1.135
Dec  1 16:12:16 200.176.47.199
Dec  3 06:30:15 64.45.60.239
Dec  3 16:01:51 62.2.203.210

obviously not anything "widespread", i get many times that many port 139
and 80 scans in a single day.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SSH1 CRC32 Compensation Attacks, (continued)
- - - SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
  - Re: Attacks against SSH? Florian Weimer (Dec 04)
- Re: Attacks against SSH? Armando B. Ortiz (Dec 03)
  - Re: Attacks against SSH? Steven S (Dec 03)
  - Re: Attacks against SSH? Adam Manock (Dec 04)
- Re: Attacks against SSH? Andreas Wiesmann (Dec 03)
- Re: Attacks against SSH? Cy Schubert - ITSD Open Systems Group (Dec 03)
- Message not available
  - Message not available
    - Message not available
    - Re: Attacks against SSH? johan . augustsson (Dec 06)
- RE: Attacks against SSH? CHURCH,GENO (Non-HP-USA,ex1) (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 05)
  - Re: Attacks against SSH? David Chin (Dec 05)
  - Re: Attacks against SSH? Skip Carter (Dec 05)
    - Re: Attacks against SSH? Skip Carter (Dec 06)