ISC just put up a diary on it that has a little bit more information for anyone interested:
http://isc.sans.org/diary.html?storyid=3529 Steven www.securityzone.org > I saw an unusually high volume of scans between 2200 and 0000 last night > on my residential connection. They all made their initial probe using > 'mysql' as the user. On average it looks like each of them made around > 15 attempts, which is fairly low, and points to a scanner smart enough > to recognize that it's been firewalled out. > > So far, nothing out of the ordinary at work or on dedicated servers. > Maybe it's only targeting consumer connections? FWIW, my residential IP > is in 75.65/16. > > -s > > On Sun, 21 Oct 2007 21:20:38 -0600 > James Lay <[EMAIL PROTECTED]> wrote: > >> Anyone else seeing these? Started about 3 hours ago..hereĀ¹s a snipit: >> >> 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH >> Based SSH Connection - Often used as a BruteForce Tool [Classification: >> Misc >> activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22 >> >> And a current list of hits in the last 3 hours: >> >> 124.39.168.43 >> 129.13.250.46 >> 145.253.128.85 >> 148.245.157.217 >> 149.99.20.238 >> 161.106.180.173 >> 193.158.0.195 >> 194.25.114.106 >> 195.113.185.38 >> 195.138.155.54 >> 195.228.238.186 >> 195.56.72.157 >> 195.73.54.73 >> 200.126.111.38 >> 200.62.177.91 >> 200.79.37.194 >> 201.16.17.246 >> 201.216.245.25 >> 201.245.109.170 >> 211.139.69.28 >> 212.101.30.8 >> 212.202.248.130 >> 212.248.23.6 >> 213.136.105.130 >> 213.156.69.126 >> 213.186.47.65 >> 213.255.77.62 >> 213.35.211.206 >> 213.66.184.110 >> 213.84.74.76 >> 216.193.233.168 >> 217.110.171.150 >> 217.113.71.130 >> 217.151.68.244 >> 217.156.103.234 >> 217.160.19.157 >> 217.71.214.191 >> 218.207.69.8 >> 218.249.108.166 >> 60.12.130.117 >> 62.105.180.178 >> 62.112.158.141 >> 62.218.215.134 >> 62.65.142.213 >> 62.76.246.253 >> 64.81.228.200 >> 66.236.209.227 >> 67.118.242.129 >> 67.132.173.150 >> 70.107.224.252 >> 70.151.62.113 >> 72.248.139.227 >> 77.104.241.141 >> 80.200.249.230 >> 80.201.241.44 >> 80.33.222.48 >> 80.51.139.82 >> 80.55.142.66 >> 81.180.88.6 >> 81.68.198.23 >> 81.75.124.51 >> 82.103.102.12 >> 82.141.44.153 >> 82.239.231.89 >> 83.15.246.226 >> 83.151.18.189 >> 83.19.34.46 >> 83.227.183.88 >> 83.236.170.54 >> 83.246.96.38 >> 83.246.96.54 >> 83.65.141.94 >> 85.114.130.199 >> 85.120.129.130 >> 85.17.10.106 >> 85.214.54.182 >> 85.48.224.186 >> 87.127.193.225 >> 88.32.56.1 >> 89.110.147.183 >> 89.171.12.78 >> 91.192.189.19 >> >> James > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
