[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    About SSH scanning
From:       Joan Miquel Vigo <jmv () icf ! uab ! es>
Date:       2004-07-29 10:53:47
Message-ID: 20040729105347.M18754 () icf ! uab ! es
[Download RAW message or body]

Hi there.
I've read the topics about SSH attacks & SSH incidents posted recently, so I
reviewed some logs and this is what I've found:

scanned from 150.101.181.246 with SSH-1.0-SSH_Version_Mapper. Don't panic

I've checked ARIN and Google:
- the IP is from an australian ISP (eth503.qld.adsl.internode.on.net)
- the SSH Version Mapper is a scanner that probes SSH servers for their
software version and which hosts run vulnerable versions. Paper available at
http://www.citi.umich.edu/techreports/reports/citi-tr-01-13.pdf and you can
get the source code at http://www.monkey.org/~provos/scanssh/

On the other hand, I've not found any login attempt using 'test'

Regards
Joan Miquel Vigo

[prev in list] [next in list] [prev in thread] [next in thread]