Hey guys, im new here and this is my first post. Ive got a question about Secure Shell.
Today at work snort allerted us to the following

-- snort snort --

[**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/14-21:09:14.854534 211.172.121.210:22 -> 192.168.4.34:22
TCP TTL:20 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x235A06B0 Ack: 0x5F19F5 Win: 0x404 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

a couple of things to note here.

1. this appears to be a linux box, even though the Time to Live is set at 20. A quick
traceroute 211.172.121.210 shows the host lies 20 hops away from me. point - TTL is forged

2. the SYN | FYN flags are set. I understand the SNY flag being set to initiate a TCP connection, but to include the FYN flag as well, this is not normal ssh behaviour. point - packets are crafted by some tool / possible exploit

does anyone know any possible ssh exploits or worms in the wild that use port 22 for the source port, that sets the SYN | FYN flag and that forges TTL values?

perhaps im way off, but this type of traffic does not seem normal to me, looks like
i may have been in the range of some worm or script kiddie scaning domains looking for
vulnerable unpatched OpenBSD or whatever boxes.

anyway hello to everyone, hope we all can be good friends.

Helo from canada


bye