[unisog] step up in SSH scanning starting today?

Peter Van Epp vanepp at sfu.ca
Mon May 12 23:27:39 GMT 2008


On Mon, May 12, 2008 at 01:40:01PM -0700, Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks, especially 
> from .KR?
> 
> A friend at a local ISP (CA.US) reported this morning that they usually 
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with 
> more sources popping up at about 1 new per hour.  Most sources in China, 
> and KR, IIRC.
> 
> Another site (UK) reported a similar but not quite as aggressive set of 
> new sweeps, all theirs from .KR IP space.
> 
> I'm not seeing it here.
> 
> What's the consensus?  Isolated or major ramp-up?
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

	I've been hearing reports of this from the argus community for the last
couple of weeks, but we don't seem to be seeing it either. Our external scan
report for the last 24 hours (til 6AM this morning) shows only one ssh scan
(there are usually 2 or 3). Other ports are more popular:

     source IP	       number of hosts      number of responses port or ports

    60.28.175.37            275,046                715  port 10416
    90.80.40.219            196,556              9,084  port 5900
  202.109.175.74            164,594              1,037  port 1433 and 3124-3127)
 203.171.228.138             71,379                458  port 1433
   71.127.178.29             69,612                  0  port 137
 121.162.129.138             65,538                243  port 22
   85.25.130.176             65,536                213  port 411
   67.19.211.130             65,535                238  port 10000
  196.12.220.156             65,530              2,986  port 5900
    58.68.178.45             65,404              2,996  port 5900

	results were similar the other couple of times I looked.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list