[unisog] step up in SSH scanning starting today?

John Ives jives at security.berkeley.edu
Wed May 14 16:14:59 GMT 2008


To add some real numbers to this discussion, I went through our logs to 
find out how many IP addresses were port scanning for port 22 over the 
past month.  As you can see, the numbers started climbing on the 7th, 
with are largest single day being the 12th.  Do I know what has caused 
this spike, no, but it it is certainly there.

John


SSH scanners   
Day               Uniq IPs
4/14/2008    19
4/15/2008    17
4/16/2008    27
4/17/2008    21
4/18/2008    21
4/19/2008    31
4/20/2008    26
4/21/2008    35
4/22/2008    31
4/23/2008    30
4/24/2008    22
4/25/2008    26
4/26/2008    26
4/27/2008    27
4/28/2008    36
4/29/2008    20
4/30/2008    29
5/1/2008    28
5/2/2008    25
5/3/2008    30
5/4/2008    33
5/5/2008    31
5/6/2008    33
5/7/2008    111
5/8/2008    72
5/9/2008    63
5/10/2008    75
5/11/2008    107
5/12/2008    213
5/13/2008    97



Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks, especially 
> from .KR?
>
> A friend at a local ISP (CA.US) reported this morning that they usually 
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with 
> more sources popping up at about 1 new per hour.  Most sources in China, 
> and KR, IIRC.
>
> Another site (UK) reported a similar but not quite as aggressive set of 
> new sweeps, all theirs from .KR IP space.
>
> I'm not seeing it here.
>
> What's the consensus?  Isolated or major ramp-up?
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
>
>
>   


-- 
-------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------




More information about the unisog mailing list