[nsp-sec] ACK: Sudden jump in ssh slow-scan activity
Scott A. McIntyre
scott at xs4all.net
Tue Jan 19 01:17:22 EST 2010
On Jan 18, 2010, at 20:05 , Joel Rosenblatt wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> I've attached our list of attacking IP's (the number after the time stamps is the number of hits) and the list of names used in the attacks (the ones with *'s are legitimate CU ID's)
Hi Joel,
ACK for various ASNs that are mine to fret about ..
I also noticed that during this same period we had a real rise of fast-scan activity, towards people who notice such things. I tend to think of it as "abuse-backscatter" -- when the SSH hacking activity from my own netblock generates a lot of abuse reports from other networks.
During the last few days we've had a real rise in reported cases. Normally it's our own detection systems which find and shut these things down well before others complain, but this weekend we had a dozen or so complaints, mostly out of Germany and NREN (.edu) networks regarding the SSH scans from my customers.
Perhaps related, perhaps not.
Thanks!
Scott A. McIntyre
XS4ALL Internet
More information about the nsp-security
mailing list