[Full-disclosure] Spike in SSH scans
Shaun
shaun at shaunc.com
Mon Oct 22 18:28:41 BST 2007
I saw an unusually high volume of scans between 2200 and 0000 last night
on my residential connection. They all made their initial probe using
'mysql' as the user. On average it looks like each of them made around
15 attempts, which is fairly low, and points to a scanner smart enough
to recognize that it's been firewalled out.
So far, nothing out of the ordinary at work or on dedicated servers.
Maybe it's only targeting consumer connections? FWIW, my residential IP
is in 75.65/16.
-s
On Sun, 21 Oct 2007 21:20:38 -0600
James Lay <jlay at slave-tothe-box.net> wrote:
> Anyone else seeing these? Started about 3 hours ago..here¹s a snipit:
>
> 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc
> activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22
>
> And a current list of hits in the last 3 hours:
>
> 124.39.168.43
> 129.13.250.46
> 145.253.128.85
> 148.245.157.217
> 149.99.20.238
> 161.106.180.173
> 193.158.0.195
> 194.25.114.106
> 195.113.185.38
> 195.138.155.54
> 195.228.238.186
> 195.56.72.157
> 195.73.54.73
> 200.126.111.38
> 200.62.177.91
> 200.79.37.194
> 201.16.17.246
> 201.216.245.25
> 201.245.109.170
> 211.139.69.28
> 212.101.30.8
> 212.202.248.130
> 212.248.23.6
> 213.136.105.130
> 213.156.69.126
> 213.186.47.65
> 213.255.77.62
> 213.35.211.206
> 213.66.184.110
> 213.84.74.76
> 216.193.233.168
> 217.110.171.150
> 217.113.71.130
> 217.151.68.244
> 217.156.103.234
> 217.160.19.157
> 217.71.214.191
> 218.207.69.8
> 218.249.108.166
> 60.12.130.117
> 62.105.180.178
> 62.112.158.141
> 62.218.215.134
> 62.65.142.213
> 62.76.246.253
> 64.81.228.200
> 66.236.209.227
> 67.118.242.129
> 67.132.173.150
> 70.107.224.252
> 70.151.62.113
> 72.248.139.227
> 77.104.241.141
> 80.200.249.230
> 80.201.241.44
> 80.33.222.48
> 80.51.139.82
> 80.55.142.66
> 81.180.88.6
> 81.68.198.23
> 81.75.124.51
> 82.103.102.12
> 82.141.44.153
> 82.239.231.89
> 83.15.246.226
> 83.151.18.189
> 83.19.34.46
> 83.227.183.88
> 83.236.170.54
> 83.246.96.38
> 83.246.96.54
> 83.65.141.94
> 85.114.130.199
> 85.120.129.130
> 85.17.10.106
> 85.214.54.182
> 85.48.224.186
> 87.127.193.225
> 88.32.56.1
> 89.110.147.183
> 89.171.12.78
> 91.192.189.19
>
> James
Full-Disclosure is hosted and sponsored by Secunia.