Re: [Full-disclosure] Spike in SSH scans



I saw an unusually high volume of scans between 2200 and 0000 last night
on my residential connection. They all made their initial probe using
'mysql' as the user. On average it looks like each of them made around
15 attempts, which is fairly low, and points to a scanner smart enough
to recognize that it's been firewalled out.

So far, nothing out of the ordinary at work or on dedicated servers.
Maybe it's only targeting consumer connections? FWIW, my residential IP
is in 75.65/16.

-s

On Sun, 21 Oct 2007 21:20:38 -0600
James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote:

Anyone else seeing these? Started about 3 hours ago..here¹s a snipit:

21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH
Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc
activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22

And a current list of hits in the last 3 hours:

124.39.168.43
129.13.250.46
145.253.128.85
148.245.157.217
149.99.20.238
161.106.180.173
193.158.0.195
194.25.114.106
195.113.185.38
195.138.155.54
195.228.238.186
195.56.72.157
195.73.54.73
200.126.111.38
200.62.177.91
200.79.37.194
201.16.17.246
201.216.245.25
201.245.109.170
211.139.69.28
212.101.30.8
212.202.248.130
212.248.23.6
213.136.105.130
213.156.69.126
213.186.47.65
213.255.77.62
213.35.211.206
213.66.184.110
213.84.74.76
216.193.233.168
217.110.171.150
217.113.71.130
217.151.68.244
217.156.103.234
217.160.19.157
217.71.214.191
218.207.69.8
218.249.108.166
60.12.130.117
62.105.180.178
62.112.158.141
62.218.215.134
62.65.142.213
62.76.246.253
64.81.228.200
66.236.209.227
67.118.242.129
67.132.173.150
70.107.224.252
70.151.62.113
72.248.139.227
77.104.241.141
80.200.249.230
80.201.241.44
80.33.222.48
80.51.139.82
80.55.142.66
81.180.88.6
81.68.198.23
81.75.124.51
82.103.102.12
82.141.44.153
82.239.231.89
83.15.246.226
83.151.18.189
83.19.34.46
83.227.183.88
83.236.170.54
83.246.96.38
83.246.96.54
83.65.141.94
85.114.130.199
85.120.129.130
85.17.10.106
85.214.54.182
85.48.224.186
87.127.193.225
88.32.56.1
89.110.147.183
89.171.12.78
91.192.189.19

James


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Spike in SSH scans
    ... on my residential connection. ... Based SSH Connection - Often used as a BruteForce Tool [Classification: ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: VFP8 & MySQL
    ... > VFP functions like NVL to a MySQL one, definitely it made the switch very ... > About your connection problem, I have mine setup as default for 100 ... As for the server, we left it ... The server crashed and corrupted the database. ...
    (microsoft.public.fox.programmer.exchange)
  • Re: Does apache stop a script mid execution ?
    ... If the user calls a time consuming script and then stops or refreshes ... How does it relate to e.g. a script performing a large mysql query? ... 2.b) how the connection is set up. ... the server stops the script execution. ...
    (comp.lang.php)
  • MySQL on Win 98
    ... I'm just getting into MySQL and I'm trying to learn about it at home. ... and created a DSN connection for it. ... User: root ... ODBC Data Source Administrator and get a "success" result. ...
    (microsoft.public.fox.programmer.exchange)
  • Re: VFP8 & MySQL
    ... Main Location and 3 branches (these are remotely accessing MySQL at the main ... About your connection problem, I have mine setup as default for 100 ... As for the server, we left it alone. ... The server crashed and corrupted the database. ...
    (microsoft.public.fox.programmer.exchange)