[unisog] step up in SSH scanning starting today?
Peter Van Epp
vanepp at sfu.ca
Mon May 12 23:27:39 GMT 2008
On Mon, May 12, 2008 at 01:40:01PM -0700, Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks, especially
> from .KR?
> A friend at a local ISP (CA.US) reported this morning that they usually
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with
> more sources popping up at about 1 new per hour. Most sources in China,
> and KR, IIRC.
> Another site (UK) reported a similar but not quite as aggressive set of
> new sweeps, all theirs from .KR IP space.
> I'm not seeing it here.
> What's the consensus? Isolated or major ramp-up?
> unisog mailing list
> unisog at lists.dshield.org
I've been hearing reports of this from the argus community for the last
couple of weeks, but we don't seem to be seeing it either. Our external scan
report for the last 24 hours (til 6AM this morning) shows only one ssh scan
(there are usually 2 or 3). Other ports are more popular:
source IP number of hosts number of responses port or ports
220.127.116.11 275,046 715 port 10416
18.104.22.168 196,556 9,084 port 5900
22.214.171.124 164,594 1,037 port 1433 and 3124-3127)
126.96.36.199 71,379 458 port 1433
188.8.131.52 69,612 0 port 137
184.108.40.206 65,538 243 port 22
220.127.116.11 65,536 213 port 411
18.104.22.168 65,535 238 port 10000
22.214.171.124 65,530 2,986 port 5900
126.96.36.199 65,404 2,996 port 5900
results were similar the other couple of times I looked.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog