Re: Internet SSH scans

Yes,

    These scans are also taking place on IP Ranges known to be owned by 
large server ISPs, I was seeing them on my servers until I tightened my 
IPFW rules, havent tried verifying OS/other info on the source IPs 
though (Doh!)...  If I had been thinking at the time, I could have 
written a script to at least try to do an nmap -sS -P0 -O on them and 
save it somewhere...  oh well...

    I have servers co-located with a couple of ISPs as well as on a 
Home-Office DSL line, FreeBSD based mostly, but there is 1 Solaris box 
and 1 Linux Box. The ones on the DSL line have been really quiet. The 
ones with the ISPs have been getting pounded with SSL brute force 
attempts and also people trying to proxy themselves through the apache 
installation (on a couple of them) even though it is compiled without 
the proxy option...

Im guessing it is focusing on academic networks as the post I am 
replying to said, as well as ISPs as those are two of the places with 
the strongest reputations for having vulnerable boxes.. I am actaully 
shocked to have not seen this traffic on my DSL boxes..

I guess we are lucky this is not a worm attacking the many vulnerable 
unpatched OpenSSH installs on the I-Net.

--
------------------
Jon Adams
PGP Key: http://www.ja6.com/pubkey.asc
Web: http://www.scis.nova.edu/~jonaadam



admin@chem.uw.edu.pl wrote:

> I have many SSH scans in my large academic network. IMO scanning hosts are 
> Windows zombies.
>
> /p
>