Re: port 22->port 22 scans

From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
Date: 10/13/01

• Previous message: Kevin Holmquist: "unkown directory traversal attempts"
• Maybe in reply to: Pavel Kankovsky: "port 22->port 22 scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
Date: Sat, 13 Oct 2001 23:12:03 +0200 (MET DST)
To: incidents@securityfocus.com
Subject: Re: port 22->port 22 scans
Message-ID: <Pine.LNX.4.30.0110121530090.2446@localhost.localdomain>

On Sat, 6 Oct 2001, spaceork wrote:

> This appears to be the work of the synscan tool. Did the common IP IDs
> happen to have a value of 39426?

No. Probes from two different sweeps had different IP IDs.
But wait...it was 39426 during the first sweep (from 162.105.195.118).

On Sun, 7 Oct 2001, Gushterul wrote:

> because of exploit of ssh made in zip/teso i guess :)

An exploit of the old bug in deattack.c?

On Mon, 8 Oct 2001 RWilkie@sfe.com.au wrote:

> Looks like it is just http://www.monkey.org/~provos/scanssh/ doing the
> rounds again. I've been picking up a fair few SSHD probes from kiddies
> around the place.

I am not sure. That program appears to use a random source port and does
not set fixed (nonzero) IP ID for all probes it sends. Moreover, scanssh
establishes real TCP connection to hosts where open port 22/tcp has been
found, but I did not experience anything like that.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Kevin Holmquist: "unkown directory traversal attempts"
• Maybe in reply to: Pavel Kankovsky: "port 22->port 22 scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet ... > non-critical patches. ... just did stealth scan again nd the result is shown below. ... FTP DATA 20 BLOCKED This port has not responded to any of our probes. ... (comp.security.firewalls) Re: port 22 scans + 53 scans ... port 22 scans + 53 scans ... The tcp:53 probes seem to be some sort of distance-metrics/load ... balancing activity. ... > If firewalls are dropping these packets, ... (Incidents) Re: Should nmap cause a DoS on cisco routers? ... I had the task to discover the SNMP version that our ... servers and networking devices use. ... Almost certainly what is causing the crash is not the port scan itself ... The way -sV works is that the probes listed in your nmap-service-probes ... (Pen-Test) RE: TCP port 5000 syn increasing ... > port scans. ... IMHO it has *never* been sufficient to simply count and analyse probes ... The ability to say "12.53 % of unsolicited traffic at my network ... Security Linux, the comprehensive security solution that combines six ... (Incidents) FW: Lioten Worm 135-139 and 445 ... This came from the incidents.org list this am. Figured I'd pass it along since I've seen some discussion about port 445 probes come up lately. ... Incidents.org reports the Lioten worm as active. ... http://www.sarc.com/avcenter/venc/data/w32.hllw.lioten.html (signature not ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-10