[unisog] step up in SSH scanning starting today?
Peter Van Epp
vanepp at sfu.ca
Mon May 12 23:27:39 GMT 2008
On Mon, May 12, 2008 at 01:40:01PM -0700, Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks, especially
> from .KR?
>
> A friend at a local ISP (CA.US) reported this morning that they usually
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with
> more sources popping up at about 1 new per hour. Most sources in China,
> and KR, IIRC.
>
> Another site (UK) reported a similar but not quite as aggressive set of
> new sweeps, all theirs from .KR IP space.
>
> I'm not seeing it here.
>
> What's the consensus? Isolated or major ramp-up?
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
I've been hearing reports of this from the argus community for the last
couple of weeks, but we don't seem to be seeing it either. Our external scan
report for the last 24 hours (til 6AM this morning) shows only one ssh scan
(there are usually 2 or 3). Other ports are more popular:
source IP number of hosts number of responses port or ports
60.28.175.37 275,046 715 port 10416
90.80.40.219 196,556 9,084 port 5900
202.109.175.74 164,594 1,037 port 1433 and 3124-3127)
203.171.228.138 71,379 458 port 1433
71.127.178.29 69,612 0 port 137
121.162.129.138 65,538 243 port 22
85.25.130.176 65,536 213 port 411
67.19.211.130 65,535 238 port 10000
196.12.220.156 65,530 2,986 port 5900
58.68.178.45 65,404 2,996 port 5900
results were similar the other couple of times I looked.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog
mailing list