[nsp-sec] Sudden jump in ssh slow-scan activity

Joel Rosenblatt joel at columbia.edu
Wed Jan 20 22:20:34 EST 2010 

Looking at the same IP that scanned Mike - here is the netflow - it is not 60 byte syns

2010/01/17 09:48:11 58.60.106.24.37035 -> 128.59.194.247.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37039 -> 128.59.194.39.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37041 -> 128.59.194.41.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37046 -> 128.59.194.91.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37047 -> 128.59.194.95.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37049 -> 128.59.195.105.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37050 -> 128.59.195.116.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37052 -> 128.59.195.145.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37053 -> 128.59.195.17.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37054 -> 128.59.195.20.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37055 -> 128.59.195.226.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37056 -> 128.59.195.229.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37058 -> 128.59.195.240.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37059 -> 128.59.195.58.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37062 -> 128.59.20.132.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37063 -> 128.59.20.194.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37064 -> 128.59.20.205.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37067 -> 128.59.20.61.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37068 -> 128.59.201.20.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37069 -> 128.59.206.36.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37071 -> 128.59.21.122.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37074 -> 128.59.21.56.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37075 -> 128.59.21.64.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37076 -> 128.59.211.30.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37077 -> 128.59.211.31.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37078 -> 128.59.212.29.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37079 -> 128.59.215.138.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37080 -> 128.59.22.167.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37082 -> 128.59.222.94.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37083 -> 128.59.225.197.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37084 -> 128.59.225.48.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37085 -> 128.59.23.103.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37090 -> 128.59.230.107.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37092 -> 128.59.230.13.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37094 -> 128.59.230.185.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37095 -> 128.59.230.187.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37096 -> 128.59.230.214.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37097 -> 128.59.230.22.22 6 13 1272
2010/01/17 09:48:11 58.60.106.24.37100 -> 128.59.230.239.22 6 13 1272


Joel


--On Wednesday, January 20, 2010 4:29 PM -0700 "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> I haven't compared your list to the telnet from last week but I ran a report against our reported ips and am seeing them scanning using 60 byte syns. So I
> suspect the same scanning tool is in use. It may be the same set of hosts or some overlap, that I haven't looked at but 60 byte syns are just not that
> common. Did anyone else check netflow and see these ips using 60 byte syns?
>
> Also these are just scanning. I am seeing data so I believe they are bruteforcing too.
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Joel Rosenblatt
>> Sent: Monday, January 18, 2010 12:05 PM
>> To: Mike Tancsa; Kevin Oberman; nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] Sudden jump in ssh slow-scan activity
>>
>> ----------- nsp-security Confidential --------
>>
>>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list