Re: Pretty stealthy SSH scanning seen on the Internet.

From: Kent Engström (kent@unit.liu.se)
Date: 09/10/01 

To: incidents@securityfocus.com
Subject: Re: Pretty stealthy SSH scanning seen on the Internet.
From: kent@unit.liu.se (Kent Engström)
Date: 10 Sep 2001 12:23:21 +0200
Message-ID: <m37kv7e44m.fsf@ceres.unit.liu.se>

Dug Song <dugsong@monkey.org> writes:
> On Sun, Sep 09, 2001 at 02:40:36PM -0400, Erik Fichtner wrote:
>
> > Anyone else seen this, or have any further information?
>
> dollars to donuts it's just niels:
>
> http://www.monkey.org/~provos/scanssh/
>
> he'll be publishing his results soon at a conference near you...

From the logs posted by Erik Fichtner <techs@obfuscation.org>:
> Sep 9 15:21:22 hostA sshd[64608]: Did not receive ident string from 199.171.27.50.

dig -x 199.171.27.50 gives:
> 50.27.171.199.in-addr.arpa. 57m20s IN PTR www10.gti.net.

Would Niels really use a machine whose PTR record was "www10.gti.net"
to do that kind of scan?

We have seen this IP scan our netblock too. 

-- 
Kent Engström,		Linköping University Incident Response Team
kent@unit.liu.se  	abuse@liu.se
+46 13 28 1744

UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com