Yes,
These scans are also taking place on IP Ranges known to be owned by
large server ISPs, I was seeing them on my servers until I tightened my
IPFW rules, havent tried verifying OS/other info on the source IPs
though (Doh!)... If I had been thinking at the time, I could have
written a script to at least try to do an nmap -sS -P0 -O on them and
save it somewhere... oh well...
I have servers co-located with a couple of ISPs as well as on a
Home-Office DSL line, FreeBSD based mostly, but there is 1 Solaris box
and 1 Linux Box. The ones on the DSL line have been really quiet. The
ones with the ISPs have been getting pounded with SSL brute force
attempts and also people trying to proxy themselves through the apache
installation (on a couple of them) even though it is compiled without
the proxy option...
Im guessing it is focusing on academic networks as the post I am
replying to said, as well as ISPs as those are two of the places with
the strongest reputations for having vulnerable boxes.. I am actaully
shocked to have not seen this traffic on my DSL boxes..
I guess we are lucky this is not a worm attacking the many vulnerable
unpatched OpenSSH installs on the I-Net.
--
------------------
Jon Adams
PGP Key: http://www.ja6.com/pubkey.asc
Web: http://www.scis.nova.edu/~jonaadam
[EMAIL PROTECTED] wrote:
I have many SSH scans in my large academic network. IMO scanning hosts are
Windows zombies.
/p
