Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

port 22->port 22 scans
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sat, 6 Oct 2001 02:08:49 +0200 (MET DST)
On Thursday (Oct 4), we have detected four sweeps, looking for open
TCP port 22 (ssh):

   Approx. time   Source IP           Source FQDN
   07:05 GMT      162.105.195.118     skltr.mech.pku.edu.cn
   12:33 GMT      64.124.36.229       (none)
   21:01 GMT      134.100.226.18      mtgp8.zmaw.de
   21:41 GMT      131.152.102.64      xunil1.physik.unibas.ch

The traits of all those sweeps were very similar:

- the source port of all probes was 22
- all probes within one sweep had the same IP ID (*)
- lost/filtered probes were not retried
- the sweeps were pretty fast, hundreds of addresses in few seconds
- no actual i/o was done

(*) With 1 exception that had a TTL different from other logged probes
in the sweep as well.

Is there any kind of SSH worm out there?!

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]