Steady increase in ssh scans

Date: 02/11/02

Date: Mon, 11 Feb 2002 11:35:40 -0500
From: "TCG CSIRT" <>
To: <>

Some simple trending....

sshd syn connections from portscan logging on a single gateway for:
Nov: 484
Dec: 1145
Jan: 1753

February is on track to recieve over 2000 at the current rate on this particular gateway.

This shows a sharp increase in ssh portscans. This also raises the following questions:

Is this a normal increase considering the vulnerabilities made public late last year?
Is anyone (everyone) else seeing the same type of activity?
Has anyone seen evidence of a worm?

Here's my concern. With worms like nimda, lion, and others, sniffing is a major factor in analyzing the worm's propogation and exploitatoin methods. An ssh based worm could take sniffing out of the picture (the attack is over an encrypted service) and reduce forensic analysis to artifact examination.

Is anyone co-ordinating artifact analysis on hosts compromised over sshd vulnerabilities? Has anyone seen identical (or very similar) artifacts left behind on multiple compromised hosts?

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: