Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog

From: Jose Nazario (jose@biocserver.BIOC.cwru.edu)
Date: 12/27/01


Date: Thu, 27 Dec 2001 11:33:21 -0500 (EST)
From: Jose Nazario <jose@biocserver.BIOC.cwru.edu>
To: "Matthew D. Close" <mclose@exodus.net>

On Sun, 23 Dec 2001, Matthew D. Close wrote:

> There seem to be two types of scanning going on, one that looks like
> scanssh. Then another that's a SYN scan, with a normal reconnect to
> port 22 if the first scan found anything open.

scanssh -p will do that, maybe that is what is going on:

     -p ifaddr
             Specifies the address of the local interface. This is used to
             speed up the scanning by pre-probing the addresses with TCP-SYN
             packets.

makes a massive performance enhancement.

____________________________
jose nazario jose@cwru.edu
                           PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com