Re: slowish ssh scan from 149.69.85.65
From: Glenn Forbes Fleming Larratt (glratt@io.com)Date: 12/05/01
- Previous message: Przemyslaw Frasunek: "Re: Attacks against SSH?"
- In reply to: Russell Fulton: "slowish ssh scan from 149.69.85.65"
- Next in thread: Jim Watt: "Re: slowish ssh scan from 149.69.85.65"
- Reply: Jim Watt: "Re: slowish ssh scan from 149.69.85.65"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 Dec 2001 11:52:35 -0600 (CST) From: Glenn Forbes Fleming Larratt <glratt@io.com> To: <incidents@securityfocus.com>
On Wed, 5 Dec 2001, Russell Fulton wrote:
> Greetings All,
>
> starting on 4th Dec 2001 at 19:47 (UTC) we saw an unusual scan from
> 149.69.85.65 (owned by St. John Fisher College (NET-PSINET-B-69)) who
> have been notified -- no response yet.
>
> times are UTC:
>
> Here are argus logs from the start of the scan:
>
> 04 Dec 01 19:47:36 tcp 149.69.85.65.20 -> 130.216.246.76.22 S_
Us, too (i.e. noted and blocked) (timestamps in CST [6hr west of UTC]):
[4 Dec ...]
18:49:26.223817 149.69.85.65.20 > MY.NET.10.38.22: S 2168502234:2168502234(0) win 16383 (DF)
18:49:26.224625 149.69.85.65.20 > MY.NET.46.172.22: S 1105269703:1105269703(0) win 16383 (DF)
18:49:26.227256 149.69.85.65.20 > MY.NET.83.50.22: S 1657904554:1657904554(0) win 16383 (DF)
19:37:53.536652 149.69.85.65.20 > MY.NET.186.198.22: S 3121786201:3121786201(0) win 16383 (DF)
19:37:53.536980 149.69.85.65.20 > MY.NET.223.76.22: S 2535195653:2535195653(0) win 16383 (DF)
20:23:45.174780 149.69.85.65.20 > MY.NET.253.212.22: S 2148637354:2148637354(0) win 16383 (DF)
22:11:58.666148 149.69.85.65.20 > MY.NET.132.70.22: S 2788760079:2788760079(0) win 16383 (DF)
:
:
:
[5 Dec ...]
04:09:35.725747 149.69.85.65.20 > MY.NET.24.234.22: S 2517150545:2517150545(0) win 16383 (DF)
04:09:35.727293 149.69.85.65.20 > MY.NET.61.112.22: S 1628242169:1628242169(0) win 16383 (DF)
04:09:35.727798 149.69.85.65.20 > MY.NET.97.246.22: S 2442363253:2442363253(0) win 16383 (DF)
04:09:35.728948 149.69.85.65.20 > MY.NET.134.124.22: S 1516061231:1516061231(0) win 16383 (DF)
04:09:35.729401 149.69.85.65.20 > MY.NET.171.2.22: S 2274091846:2274091846(0) win 16383 (DF)
04:09:35.729733 149.69.85.65.20 > MY.NET.207.136.22: S 1263654121:1263654121(0) win 16383 (DF)
05:01:53.515893 149.69.85.65.20 > MY.NET.91.248.22: S 1300803353:1300803353(0) win 16383 (DF)
05:12:50.074005 149.69.85.65.20 > MY.NET.26.142.22: S 1540461245:1540461245(0) win 16383 (DF)
05:12:50.074471 149.69.85.65.20 > MY.NET.63.20.22: S 2310691867:2310691867(0) win 16383 (DF)
05:12:50.074602 149.69.85.65.20 > MY.NET.63.20.22: S 2310691867:2310691867(0) win 16383 (DF)
05:12:50.075101 149.69.85.65.20 > MY.NET.99.154.22: S 1318554152:1318554152(0) win 16383 (DF)
05:25:35.554361 149.69.85.65.20 > MY.NET.34.48.22: S 2277649205:2277649205(0) win 16383 (DF)
05:25:35.554696 149.69.85.65.20 > MY.NET.70.182.22: S 1268990159:1268990159(0) win 16383 (DF)
05:25:35.555322 149.69.85.65.20 > MY.NET.107.60.22: S 1903485238:1903485238(0) win 16383 (DF)
05:25:35.555674 149.69.85.65.20 > MY.NET.143.194.22: S 2855227857:2855227857(0) win 16383 (DF)
05:25:35.556002 149.69.85.65.20 > MY.NET.180.72.22: S 2135358137:2135358137(0) win 16383 (DF)
-- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glratt@io.com http://www.io.com/~glratt There are imaginary bugs to chase in heaven.---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Przemyslaw Frasunek: "Re: Attacks against SSH?"
- In reply to: Russell Fulton: "slowish ssh scan from 149.69.85.65"
- Next in thread: Jim Watt: "Re: slowish ssh scan from 149.69.85.65"
- Reply: Jim Watt: "Re: slowish ssh scan from 149.69.85.65"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
