Re: "Don't panic"?
From: Steve Snyder (swsnyder@home.com)Date: 01/30/02
- Next message: Frank Winkler: "Re: Problems with OpenSSH and X11 forwarding"
- Previous message: gyromagnetic: "X11 fowarding, cygwin, and ssh"
- In reply to: Mike Iglesias: "Re: "Don't panic"?"
- Next in thread: Nico Kadel-Garcia: "Re: "Don't panic"?"
- Reply: Nico Kadel-Garcia: "Re: "Don't panic"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Steve Snyder <swsnyder@home.com> Date: Wed, 30 Jan 2002 14:08:27 GMT
Mike Iglesias wrote:
> In article <m1lk7u0ls31.fsf@sys1.des.jhy.us.ml.com>,
> Richard Silverman <res@des.jhy.us.ml.com> wrote:
>>What "abuse" would you have him report? He has a box connected to the
>>Internet, with an SSH server accepting connections from anywhere. Someone
>>connected to it, exchanged a few bytes according the SSH protocol, then
>>disconnected. That's not abuse; it's what's supposed to happen.
>
> Well Richard, if you've been scanned almost 60 times this month (like
> we have) by people looking for ssh servers on your network, you'd
> report it too. It's kinda obvious that if you're seeing scans from
> scanssh, someone is mapping sshd versions on your network. If you don't
> know who it's from, I doubt it's friendly.
If all (or most if my scans were from a single source I would complain to
the admin of the source. Alas, the origins of the scans don't seem to
follow a pattern. So who do I complain to?
This from the last 3 days:
# grep panic /var/log/secure
Jan 27 07:27:54 sunburn sshd[20270]: scanned from 203.248.195.95 with
SSH-1.0-SSH_Version_Mapper. Don't panic.
Jan 29 10:42:14 sunburn sshd[31826]: scanned from 213.9.31.226 with
SSH-1.0-SSH_Version_Mapper. Don't panic.
Jan 29 10:52:57 sunburn sshd[31838]: scanned from 203.63.212.202 with
SSH-1.0-SSH_Version_Mapper. Don't panic.
Jan 29 15:54:17 sunburn sshd[32382]: scanned from 203.146.184.8 with
SSH-1.0-SSH_Version_Mapper. Don't panic.
Jan 30 04:48:07 sunburn sshd[2204]: scanned from 203.235.96.67 with
SSH-1.0-SSH_Version_Mapper. Don't panic.
# for ip in `grep panic /var/log/secure | cut -d ' ' -f8`; do dig -x $ip |
grep SOA; done
195.248.203.in-addr.arpa. 10692 IN SOA nis.dacom.co.kr.
dnsmaster.bora.net. 2002013002 21600 900 604800 43200
31.9.213.in-addr.arpa. 86400 IN SOA ns3.nrw-online.de.
torsten.ns.nrw-online.de. 2000041109 28800 7200 604800 86400
212.63.203.in-addr.arpa. 10663 IN SOA yarrina.connect.com.au.
hostmaster.connect.com.au. 2002011100 21600 600 604800 172800
184.146.203.in-addr.arpa. 3445 IN SOA ns.tnet.co.th.
problem.loxinfo.co.th. 2000091100 3600 300 3600000 3600
96.235.203.in-addr.arpa. 6418 IN SOA mit.miwon.co.kr.
root.mit.miwon.co.kr. 2001122711 10800 3600 604800 86400
Thanks.
- Next message: Frank Winkler: "Re: Problems with OpenSSH and X11 forwarding"
- Previous message: gyromagnetic: "X11 fowarding, cygwin, and ssh"
- In reply to: Mike Iglesias: "Re: "Don't panic"?"
- Next in thread: Nico Kadel-Garcia: "Re: "Don't panic"?"
- Reply: Nico Kadel-Garcia: "Re: "Don't panic"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
