[Dshield] SSH Scans

Johannes B. Ullrich jullrich at euclidian.com
Thu Nov 8 17:06:28 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> The last couple of days I have seen an increasing amount of ssh version
> scans on our servers.
> 
> When I check these, they all seem to originate from systems running
> SSH-1.99-OpenSSH_2.1.1 [apparently some exploit in that version is abused].
> Contacting the admins of these systems has confirmed these were compromized.
> 
> Am I the only one to notice this increase [i.e. is it incidental and pure
> co-incidence] or is some kind of worm suddenly active (again)?

It could be thats somebody wrapped the crc exploit into a worm. Send me 
some of the source IPs off list please.


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE76ruWVOIizK5pIDMRAv3DAJ4nWSPPe/tkpd3dsbS7C0sOl0oz0QCgoFmi
NAANKXqO+1Ba/9VrjUB35M8=
=1KRc
-----END PGP SIGNATURE-----




More information about the list mailing list