| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Oct 2007 15:42:07 -0400 (EDT)
From: "Steven Adair" <steven@...urityzone.org>
To: "Shaun" <shaun@...unc.com>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Spike in SSH scans
ISC just put up a diary on it that has a little bit more information for
anyone interested:
http://isc.sans.org/diary.html?storyid=3529
Steven
www.securityzone.org
> I saw an unusually high volume of scans between 2200 and 0000 last night
> on my residential connection. They all made their initial probe using
> 'mysql' as the user. On average it looks like each of them made around
> 15 attempts, which is fairly low, and points to a scanner smart enough
> to recognize that it's been firewalled out.
>
> So far, nothing out of the ordinary at work or on dedicated servers.
> Maybe it's only targeting consumer connections? FWIW, my residential IP
> is in 75.65/16.
>
> -s
>
> On Sun, 21 Oct 2007 21:20:38 -0600
> James Lay <jlay@...ve-tothe-box.net> wrote:
>
>> Anyone else seeing these? Started about 3 hours ago..hereĀ¹s a snipit:
>>
>> 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH
>> Based SSH Connection - Often used as a BruteForce Tool [Classification:
>> Misc
>> activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22
>>
>> And a current list of hits in the last 3 hours:
>>
>> 124.39.168.43
>> 129.13.250.46
>> 145.253.128.85
>> 148.245.157.217
>> 149.99.20.238
>> 161.106.180.173
>> 193.158.0.195
>> 194.25.114.106
>> 195.113.185.38
>> 195.138.155.54
>> 195.228.238.186
>> 195.56.72.157
>> 195.73.54.73
>> 200.126.111.38
>> 200.62.177.91
>> 200.79.37.194
>> 201.16.17.246
>> 201.216.245.25
>> 201.245.109.170
>> 211.139.69.28
>> 212.101.30.8
>> 212.202.248.130
>> 212.248.23.6
>> 213.136.105.130
>> 213.156.69.126
>> 213.186.47.65
>> 213.255.77.62
>> 213.35.211.206
>> 213.66.184.110
>> 213.84.74.76
>> 216.193.233.168
>> 217.110.171.150
>> 217.113.71.130
>> 217.151.68.244
>> 217.156.103.234
>> 217.160.19.157
>> 217.71.214.191
>> 218.207.69.8
>> 218.249.108.166
>> 60.12.130.117
>> 62.105.180.178
>> 62.112.158.141
>> 62.218.215.134
>> 62.65.142.213
>> 62.76.246.253
>> 64.81.228.200
>> 66.236.209.227
>> 67.118.242.129
>> 67.132.173.150
>> 70.107.224.252
>> 70.151.62.113
>> 72.248.139.227
>> 77.104.241.141
>> 80.200.249.230
>> 80.201.241.44
>> 80.33.222.48
>> 80.51.139.82
>> 80.55.142.66
>> 81.180.88.6
>> 81.68.198.23
>> 81.75.124.51
>> 82.103.102.12
>> 82.141.44.153
>> 82.239.231.89
>> 83.15.246.226
>> 83.151.18.189
>> 83.19.34.46
>> 83.227.183.88
>> 83.236.170.54
>> 83.246.96.38
>> 83.246.96.54
>> 83.65.141.94
>> 85.114.130.199
>> 85.120.129.130
>> 85.17.10.106
>> 85.214.54.182
>> 85.48.224.186
>> 87.127.193.225
>> 88.32.56.1
>> 89.110.147.183
>> 89.171.12.78
>> 91.192.189.19
>>
>> James
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists