| Submitted By | Date |
|---|
| Comment |
|---|
| 2009-10-04 18:45:22 |
| The game Project Torque generate some requests on this port when a race is about to start. It seem to work fine when the request are blocked. At this moment, it is currently in "Closed Beta" state, but shortly it will become "Open Beta". The closed beta started at the begining of august. |
| pophop | 2009-10-04 18:45:22 |
| We had an ssh worm pop a box in mid October. Logs showed ssh scanning starting in late September through October. Box had trivial password for exposed service account. Appears that human attackers logged in day after worm and set box up as port 22 scanner. Ran for two days before we caught. Human logins came from Romania. This is what's intersting - we were seeing RST ACKS in ALL our logs globally as if we had been sending SYN packets from all our global IP space to a site in Texas (US). "Ronaldsrecordclub" - 67.15.83.36. Now moved. As if our space was being used in a DOS. Sample: "Deny TCP (no connection) from 67.15.83.36/22 to xxx.xxx.xxx.xxx/3072 flags RST ACK on interface outside" Source port was consistently 3072. Ronaldsrecord google hit talks of its site's "PayPal" enviroment being developed by its "Romanian Development" team. Activity stops in mid-October - about the time SSH worm hit us. I find it odd that we would see this RST ACK activity to port 22 AND have "Romania" associated with both things. Curious if the RST ACK was a DOS or a scan of some sort. |
| Chris Anderson | 2007-04-17 02:08:43 |
| I have seen this same attack on a server on my network. A weak password was expoited and a ssh scanner was downloaded from a .ro site. Also included was a list of common usernames and passwords. It appears that it was just checking to see if the password was the same as the username. Once in it starting trying to brute force the root password. |
| Johannes Ullrich | 2004-11-10 22:04:01 |
| frequently scanned to look for accounts with weak passwords. |
| Jason Testart | 2004-11-09 18:00:01 |
| We've been seeing an extreme amount of SSH scanning at our site over the past week, and just this weekend found a compromised Linux box doing the scanning.
My investigation into the compromise found the usual stuff (sniffer, ssh backdoor, irc stuff, etc..) but I found a couple of things particularly interesting:
- tools for exploting samba 2.2.x
- what looks like a SYN scanner, binary named "ss" with a cover script
with command line options for port "22" and a speed setting "6".
- a binary named "lol". From what I can tell from the "strings"
command and what we've seen, the binary does a dictionary attack to
common accounts such as "root" and "test" using SSH.
The tools used were downloaded from sites in the .ro domain (Romania?). |
