Incident: 02-23-02 09:18am

tcp:22 ssh

A *lot* of stuff is happening on tcp:22 ssh these days:


"There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break, for exposure to each of these vulnerabilities. The CERT/CC is still seeing active scanning and exploitation of vulnerabilities related to SSH."


Feb 23 09:18:06 - snort [1:0:0] TCP to 22 ssh 
  Source IP:   Source port: 22 
Source host:
  Target IP:   Target port: 22   Proto: TCP 
Target host:



02/23-09:18:06.568113 ->
TCP TTL:118 TOS:0x0 ID:40935 IpLen:20 DgmLen:40
******S* Seq: 0x3B05B5DD  Ack: 0x5185E29A  Win: 0xA7FB  TcpLen: 20



Feb 23 09:18:06 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 L=40 S=0x00 I=40935 F=0x0000 T=118 SYN (#64)



Sat Feb 23 09:18:06 2002 UNKNOWN [43003:118:0:0:-1:0:0:40]. ->



[toot@sparky /storage/snort/old_snorts/022302]# host
Host not found: 3(NXDOMAIN)



BW whois 2.9 by Bill Weinman (
 1999-2001 William E. Weinman 

connecting to [] ...
connecting to [] ...

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit for more information.
% Rights restricted by copyright.
% See 

inetnum: -
netname:      NO-LEIF-HOEGH-CO-NET
descr:        Leif Hoegh & Co
country:      NO
admin-c:      TM74-RIPE
tech-c:       TM74-RIPE
source:       RIPE 

descr:        Nextra, Postboks 393 - Skoyen, N-0212 Oslo, Norway
origin:       AS2119
source:       RIPE 

person:       Tore Mioen
address:      Leif Hoegh & Co AS
address:      Wergelandsveien 1
address:      Postboks 2596, Solli
address:      N-0203 Oslo
address:      Norway
phone:        +47 22 86 99 10
fax-no:       +47 22 86 99 03
nic-hdl:      TM74-RIPE
source:       RIPE
Last modified: Sun Feb 24 13:18:09 2002