[nsp-sec] Sudden jump in ssh slow-scan activity

Smith, Donald Donald.Smith at qwest.com
Thu Jan 21 11:39:59 EST 2010 

First here is what I am seeing from members of Mike's ssh scanning list.

DateTime        Sif   SrcIPaddress    SrcP  DIf   DstIPaddress    DstP    P Fl Pkts       Octets
0118.15:42:04.072 6     xxx.xxx.xxx.xxx 43335 43    194.85.93.202   22    6   2  1          60
0118.15:42:07.264 6     xxx.xxx.xxx.xxx 38449 40    194.85.93.228   22    6   2  1          60
0118.15:45:21.857 6     xxx.xxx.xxx.xxx 37915 40    212.193.238.168 22    6   2  1          60
0118.15:45:24.713 6     xxx.xxx.xxx.xxx 35579 43    212.193.238.25  22    6   2  1          60
0118.15:50:01.518 6     xxx.xxx.xxx.xxx 43001 9     60.251.197.100  22    6   2  1          60
0118.15:51:52.570 6     xxx.xxx.xxx.xxx 46870 9     24.79.153.244   22    6   2  1          60
0118.15:52:19.082 6     xxx.xxx.xxx.xxx 41365 49    203.33.253.6    22    6   2  1          60
0118.15:56:39.157 54    xxx.xxx.xxx.xxx 43023 57    64.247.136.38   22    6   2  1          60


Not all of the syns are 60 but the vast majority were:)

more /tmp/telnet4.ips | awk '{ if (( $10==2) && ($12==60) ) print $0}' | wc -l
896

more /tmp/telnet4.ips | awk '{ if (( $10==2) && ($12!=60) ) print $0}' |$0}' | $0}'  wc -l
54

In fact some of the syns are way too large to be normal syns.
 /tmp/telnet4.ips | awk '{ if (( $10==2) && ($12!=60) ) print $12}'  | sort | uniq -c | sort -nr

#    syn_length
  41 64
   2 48
   2 112
   1 832
   1 56
   1 52
   1 484
   1 40
   1 264
   1 256
   1 168
   1 164

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia

> -----Original Message-----
> From: Joel Rosenblatt [mailto:joel at columbia.edu]
> Sent: Wednesday, January 20, 2010 8:21 PM
> To: Smith, Donald; 'Mike Tancsa'; 'Kevin Oberman';
> 'nsp-security at puck.nether.net'
> Cc: 'Joel Rosenblatt'
> Subject: RE: [nsp-sec] Sudden jump in ssh slow-scan activity
>
> Looking at the same IP that scanned Mike - here is the
> netflow - it is not 60 byte syns
>
I don't recognize this format but will make an educated guess:
Date    time             src_ip:port              dst_ip:port Proto Interface? packet_length?
> 2010/01/17 09:48:11 58.60.106.24.37035 -> 128.59.194.247.22 6 13 1272
> 2010/01/17 09:48:11 58.60.106.24.37039 -> 128.59.194.39.22 6 13 1272
> 2010/01/17 09:48:11 58.60.106.24.37041 -> 128.59.194.41.22 6 13 1272
> 2010/01/17 09:48:11 58.60.106.24.37046 -> 128.59.194.91.22 6 13 1272
> 2010/01/17 09:48:11 58.60.106.24.37047 -> 128.59.194.95.22 6 13 1272
<SNIP>

>
> Joel
>
>
> --On Wednesday, January 20, 2010 4:29 PM -0700 "Smith,
> Donald" <Donald.Smith at qwest.com> wrote:
>
> > I haven't compared your list to the telnet from last week
> but I ran a report against our reported ips and am seeing
> them scanning using 60 byte syns. So I
> > suspect the same scanning tool is in use. It may be the
> same set of hosts or some overlap, that I haven't looked at
> but 60 byte syns are just not that
> > common. Did anyone else check netflow and see these ips
> using 60 byte syns?
> >
> > Also these are just scanning. I am seeing data so I believe
> they are bruteforcing too.
> >
> >
> > (coffee != sleep) & (!coffee == sleep)
> > Donald.Smith at qwest.com gcia
> >
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >> Joel Rosenblatt
> >> Sent: Monday, January 18, 2010 12:05 PM
> >> To: Mike Tancsa; Kevin Oberman; nsp-security at puck.nether.net
> >> Subject: Re: [nsp-sec] Sudden jump in ssh slow-scan activity
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >>
> >
> > This communication is the property of Qwest and may contain
> confidential or
> > privileged information. Unauthorized use of this
> communication is strictly
> > prohibited and may be unlawful.  If you have received this
> communication
> > in error, please immediately notify the sender by reply
> e-mail and destroy
> > all copies of the communication and any attachments.
> >
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list