Has anyone seen this SSH Scanner tool? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Has anyone seen this SSH Scanner tool?

  1. #11
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    I hope you have reported the NY IDOT to their ISP.....
    I have been getting hit from Cina and Korea as well.... Mostly Port Scans
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  2. #12
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'm actually looking for the tool itself. Has anyone actually come across the actual script or tool that's being used?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #13
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  4. #14
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    MsMittens,

    Along with the above link that Lumpy gave to the otik site, there is another variation of the tool that is called ssh-grinder.c which I picked up along my travels. This variation matches the bahavior you've seen and when we had the issue (late summer) we blocked all netblocks to southeast Asia, Romania and Brazil. Since then, we've had a 72% decrease in scans and grinds (of this type).

    The actual code I have came to me broken. At least that's what one would think. After looking it over, there was one minor thing changed in the code that made it inoperable. My guess is that it was distributed to a known audience who knew what had to be changed to make it work again.

    I'm not sure if we kept the code around after handing it over to our fine friends with the three letter acronym. I'll check out our code library later today.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #15
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    This must be somewhat new, as we have been getting brute force attempts against our firewall since mid june, but the logs appear different in these latest attacks. I am guessing more and more script kiddies are finding the script.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  6. #16
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535

    scan the scanner

    Yup me too..

    Oct 27 16:20:04 copycat sshd[13787]: Failed password for root from 66.79.170.220 port 40644 ssh2
    Oct 27 16:20:06 copycat sshd[13790]: Failed password for root from 66.79.170.220 port 40680 ssh2
    Oct 27 16:20:08 copycat sshd[13793]: Failed password for root from 66.79.170.220 port 40713 ssh2
    evry two seconds

    Oct 27 16:20:58 copycat sshd[13886]: Failed password for root from 66.79.170.220 port 41805 ssh2
    Oct 27 16:21:00 copycat sshd[13889]: Failed password for root from 66.79.170.220 port 41836 ssh2
    H'm let's try something different hey..

    Oct 27 16:21:17 copycat sshd[13919]: Failed password for invalid user webmaster from 66.79.170.220 port 42186 ssh2
    Oct 27 16:21:19 copycat sshd[13922]: Invalid user data from 66.79.170.220
    Oct 27 16:21:19 copycat sshd[13922]: Failed password for invalid user data from 66.79.170.220 port 42221 ssh2
    Oct 27 16:21:21 copycat sshd[13925]: Invalid user user from 66.79.170.220
    Oct 27 16:21:21 copycat sshd[13925]: Failed password for invalid user user from 66.79.170.220 port 42268 ssh2
    Oct 27 16:21:22 copycat sshd[13928]: Invalid user user from 66.79.170.220
    Oct 27 16:21:22 copycat sshd[13928]: Failed password for invalid user user from 66.79.170.220 port 42299 ssh2
    Oct 27 16:21:24 copycat sshd[13931]: Invalid user user from 66.79.170.220
    Oct 27 16:21:24 copycat sshd[13931]: Failed password for invalid user user from 66.79.170.220 port 42338 ssh2
    Oct 27 16:21:26 copycat sshd[13934]: Invalid user web from 66.79.170.220
    Oct 27 16:21:26 copycat sshd[13934]: Failed password for invalid user web from 66.79.170.220 port 42374 ssh2
    Oct 27 16:21:27 copycat sshd[13937]: Invalid user web from 66.79.170.220
    Oct 27 16:21:27 copycat sshd[13937]: Failed password for invalid user web from 66.79.170.220 port 42417 ssh2
    Oct 27 16:21:29 copycat sshd[13941]: Invalid user oracle from 66.79.170.220
    Oct 27 16:21:29 copycat sshd[13941]: Failed password for invalid user oracle from 66.79.170.220 port 42454 ssh2
    Oct 27 16:21:31 copycat sshd[13944]: Invalid user sybase from 66.79.170.220
    Oct 27 16:21:31 copycat sshd[13944]: Failed password for invalid user sybase from 66.79.170.220 port 42483 ssh2
    Oct 27 16:21:33 copycat sshd[13947]: Invalid user master from 66.79.170.220
    Oct 27 16:21:33 copycat sshd[13947]: Failed password for invalid user master from 66.79.170.220 port 42524 ssh2
    Oct 27 16:21:34 copycat sshd[13950]: Invalid user account from 66.79.170.220
    Oct 27 16:21:34 copycat sshd[13950]: Failed password for invalid user account from 66.79.170.220 port 42560 ssh2
    Oct 27 16:21:36 copycat sshd[13953]: Invalid user backup from 66.79.170.220
    Oct 27 16:21:36 copycat sshd[13953]: Failed password for invalid user backup from 66.79.170.220 port 42596 ssh2
    Oct 27 16:21:38 copycat sshd[13956]: Invalid user server from 66.79.170.220
    Oct 27 16:21:38 copycat sshd[13956]: Failed password for invalid user server from 66.79.170.220 port 42633 ssh2
    Oct 27 16:21:39 copycat sshd[13959]: Invalid user adam from 66.79.170.220
    Oct 27 16:21:39 copycat sshd[13959]: Failed password for invalid user adam from 66.79.170.220 port 42663 ssh2
    Oct 27 16:21:41 copycat sshd[13962]: Invalid user alan from 66.79.170.220
    Oct 27 16:21:41 copycat sshd[13962]: Failed password for invalid user alan from 66.79.170.220 port 42699 ssh2
    Oct 27 16:21:42 copycat sshd[13965]: Invalid user frank from 66.79.170.220
    Oct 27 16:21:42 copycat sshd[13965]: Failed password for invalid user frank from 66.79.170.220 port 42726 ssh2
    Oct 27 16:21:44 copycat sshd[13968]: Invalid user george from 66.79.170.220
    Oct 27 16:21:44 copycat sshd[13968]: Failed password for invalid user george from 66.79.170.220 port 42764 ssh2
    Oct 27 16:21:46 copycat sshd[13971]: Invalid user henry from 66.79.170.220
    Oct 27 16:21:46 copycat sshd[13971]: Failed password for invalid user henry from 66.79.170.220 port 42794 ssh2
    Oct 27 16:21:47 copycat sshd[13974]: Invalid user john from 66.79.170.220
    Oct 27 16:21:47 copycat sshd[13974]: Failed password for invalid user john from 66.79.170.220 port 42825 ssh2
    and back to root..

    Oct 27 16:21:49 copycat sshd[13977]: Failed password for root from 66.79.170.220 port 42858 ssh2
    Oct 27 16:21:50 copycat sshd[13980]: Failed password for root from 66.79.170.220 port 42883 ssh2
    Oct 27 16:21:52 copycat sshd[13983]: Failed password for root from 66.79.170.220 port 42923 ssh2
    Oct 27 16:21:54 copycat sshd[13986]: Failed password for root from 66.79.170.220 port 42950 ssh2
    Oct 27 16:21:55 copycat sshd[13989]: Failed password for root from 66.79.170.220 port 42988 ssh2

    I nmapped the dude..
    Code:
    PORT      STATE    SERVICE         VERSION
    1/tcp     open     tcpmux?
    21/tcp    open     ftp?
    22/tcp    open     ssh             OpenSSH 3.6.1p2 (protocol 1.99)
    25/tcp    open     smtp            Exim smtpd 4.24
    80/tcp    open     http            Apache httpd 1.3.29
    111/tcp   open     rpcbind?
    135/tcp   filtered msrpc
    143/tcp   open     imap            UW imapd 2003.338rh
    443/tcp   open     http            Apache httpd 1.3.29
    445/tcp   filtered microsoft-ds
    465/tcp   open     ssl/smtp        Exim smtpd 4.24
    993/tcp   open     ssl/imap        UW imapd 2003.338rh
    995/tcp   open     pop3s?
    1337/tcp  open     irc-proxy       psyBNC 2.3.2-4
    3306/tcp  open     mysql           MySQL (unauthorized)
    6667/tcp  filtered irc
    6668/tcp  filtered irc
    7000/tcp  filtered afs3-fileserver
    31337/tcp open     irc-proxy       psyBNC 2.3.1
    and what do you think...
    telnet 66.79.170.220 1337
    Trying 66.79.170.220...
    Connected to 66.79.170.220.
    Escape character is '^]'.
    :Welcome!psyBNC@lam3rz.de NOTICE * syBNC2.3.2-4
    H'm an irc proxy (bot?).. but it needs a password.. if I were just as lame.. I'd just brute force it
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides