About SSH scanning

[Joan Miquel Vigo <jmv () icf uab es>]

Hi there.
I've read the topics about SSH attacks & SSH incidents posted recently, so I
reviewed some logs and this is what I've found:

scanned from 150.101.181.246 with SSH-1.0-SSH_Version_Mapper. Don't panic

I've checked ARIN and Google:
- the IP is from an australian ISP (eth503.qld.adsl.internode.on.net)
- the SSH Version Mapper is a scanner that probes SSH servers for their
software version and which hosts run vulnerable versions. Paper available at
http://www.citi.umich.edu/techreports/reports/citi-tr-01-13.pdf and you can
get the source code at http://www.monkey.org/~provos/scanssh/

On the other hand, I've not found any login attempt using 'test'

Regards
Joan Miquel Vigo