[Dshield] SSH Scans.. Worm?

Johannes B. Ullrich jullrich at euclidian.com
Thu Nov 8 18:20:53 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I attached below a quick database query for ssh scans.
Interesting: The number of sources increased significantly.
While the number of 'hits' (first column) is notoriously 
fluctuating (if someone hits a large submitter forexample),
the number of sources is usually a better indication of
things that may be going on.

This is not a confirmation for a new worm. But its a 'hint'
that something may be going on. If anybody captures details,
let me know.



   Date           'hits'         distinct sources     
| 2001-10-26 |        715 |                     37 |
| 2001-10-27 |        466 |                     30 |
| 2001-10-28 |        495 |                     30 |
| 2001-10-29 |        484 |                     39 |
| 2001-10-30 |       1169 |                     49 |
| 2001-10-31 |       2005 |                     47 |
| 2001-11-01 |      66672 |                     47 |
| 2001-11-02 |       1531 |                     42 |
| 2001-11-03 |       2154 |                     36 |
| 2001-11-04 |       2083 |                     48 |
| 2001-11-05 |       1117 |                     49 |
| 2001-11-06 |      68062 |                     83 |
| 2001-11-07 |       1100 |                    310 |
| 2001-11-08 |         85 |                     13 |


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE76s0HVOIizK5pIDMRAvAuAJ4gY96dmXtPO1uoFUgxeirP25qEYACg/hCW
YB+EcO46EB/lPrcIdKaojWw=
=whc0
-----END PGP SIGNATURE-----




More information about the list mailing list