[unisog] step up in SSH scanning starting today?
John Ives
jives at security.berkeley.edu
Wed May 14 16:14:59 GMT 2008
To add some real numbers to this discussion, I went through our logs to
find out how many IP addresses were port scanning for port 22 over the
past month. As you can see, the numbers started climbing on the 7th,
with are largest single day being the 12th. Do I know what has caused
this spike, no, but it it is certainly there.
John
SSH scanners
Day Uniq IPs
4/14/2008 19
4/15/2008 17
4/16/2008 27
4/17/2008 21
4/18/2008 21
4/19/2008 31
4/20/2008 26
4/21/2008 35
4/22/2008 31
4/23/2008 30
4/24/2008 22
4/25/2008 26
4/26/2008 26
4/27/2008 27
4/28/2008 36
4/29/2008 20
4/30/2008 29
5/1/2008 28
5/2/2008 25
5/3/2008 30
5/4/2008 33
5/5/2008 31
5/6/2008 33
5/7/2008 111
5/8/2008 72
5/9/2008 63
5/10/2008 75
5/11/2008 107
5/12/2008 213
5/13/2008 97
Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks, especially
> from .KR?
>
> A friend at a local ISP (CA.US) reported this morning that they usually
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with
> more sources popping up at about 1 new per hour. Most sources in China,
> and KR, IIRC.
>
> Another site (UK) reported a similar but not quite as aggressive set of
> new sweeps, all theirs from .KR IP space.
>
> I'm not seeing it here.
>
> What's the consensus? Isolated or major ramp-up?
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
>
>
>
--
-------------------------------------------------------------------------
John Ives Phone (510) 642-7773
System & Network Security Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------
More information about the unisog
mailing list