[nsp-sec] Sudden jump in ssh slow-scan activity
Smith, Donald
Donald.Smith at qwest.com
Wed Jan 20 18:29:41 EST 2010
I haven't compared your list to the telnet from last week but I ran a report against our reported ips and am seeing them scanning using 60 byte syns. So I suspect the same scanning tool is in use.
It may be the same set of hosts or some overlap, that I haven't looked at but 60 byte syns are just not that common. Did anyone else check netflow and see these ips using 60 byte syns?
Also these are just scanning. I am seeing data so I believe they are bruteforcing too.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Joel Rosenblatt
> Sent: Monday, January 18, 2010 12:05 PM
> To: Mike Tancsa; Kevin Oberman; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Sudden jump in ssh slow-scan activity
>
> ----------- nsp-security Confidential --------
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list