[nsp-sec] SSH scan question
Smith, Donald
Donald.Smith at qwest.com
Tue Feb 17 16:11:12 EST 2009
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Torbjorn.Wictorin at cert.sunet.se
> Sent: Monday, February 16, 2009 7:16 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] SSH scan question
>
> ----------- nsp-security Confidential --------
>
> hi,
>
> we have seen some SSH scans that differs from the standard pattern:
> First a number of ususal connect attempts, about 13-16 packets in each
> direction and about 1k/3k data (failed logon attempts, I guess).
>
> But then:
> a number of connects, one minute apart with around 2500/2500 packets,
> 140000/140000 byte data. That is: (about) equal number of packets and
> bytes in each direction.
Do you mean 2500 packets per minute in both directions and 140KB in both directions in a minute?
If so that doesn't sound like a scan to me. That would be 56 bytes per packet just about right for a bruteforce attempt.
>
> The same for a numbers of hosts, but not all probed.
>
> No sign of a successful logon in the logs.
>
> Does somebody have any ide'a of what this is about?
>
> Torbjorn Wictorin
> Sunet CERT
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list