From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from nfs.azboss.net ([206.124.164.2] helo=mail.azboss.net ident=root) by speech.braille.uwo.ca with esmtp (Exim 3.32 #1 (Debian)) id 16Tb2J-0000iP-00 for ; Wed, 23 Jan 2002 22:58:51 -0500 Received: from NU7I.azboss.net (newboy.wox.org [206.124.184.75]) (authenticated) by mail.azboss.net (8.11.3/8.11.0) with ESMTP id g0O3sw607328 for ; Wed, 23 Jan 2002 20:54:58 -0700 Message-Id: <5.1.0.14.2.20020123205731.00ce1eb8@mail.azboss.net> X-Sender: nu7i@mail.azboss.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 23 Jan 2002 20:58:45 -0700 To: speakup@braille.uwo.ca From: Darrell Shandrow Subject: Re: log entry question on sshd In-Reply-To: <20020123151114.GC13119@asmodean.net> References: <5.1.0.14.2.20020122204308.01be38a0@mail.azboss.net> <20020121050400.GA5744@asmodean.net> <5.1.0.14.2.20020122204308.01be38a0@mail.azboss.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: speakup-admin@braille.uwo.ca Errors-To: speakup-admin@braille.uwo.ca X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.0.7 Precedence: bulk Reply-To: speakup@braille.uwo.ca List-Help: List-Post: List-Subscribe: , List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: Hi Raul, You could access the ARIN (American Registry of Internet Numbers) web site at http://www.arin.net to find out the provider who has registered the IP address in question, and contact that provider. I have certainly dealt with those sorts of security inqueries at work on a number of occasions. At 09:11 AM 1/23/2002 -0600, you wrote: >Darrell Shandrow said the following on Tue, Jan 22, 2002 at 08:43:41PM -0700: > > Hi Raul, > > > > Hmmm, looks like a rather persistent port scan, in my estimation. > > > > At 11:04 PM 1/20/2002 -0600, you wrote: > > >Hey gang. I received this log entry and am not sure if it's a portscan > > >of some type or not. Anyone seen this before? > > > > > >Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with > > >+SSH-1.0-SSH_Version_Mapper. Don't panic. > > >Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with > > >+SSH-1.0-SSH_Version_Mapper. Don't panic. > > >Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with > > >+SSH-1.0-SSH_Version_Mapper. Don't panic. > > >I thought so at first but usually portscans will scan more ports than >ssh. Besides I'm not worried about anyone breaking in via ssh. My ssh >is secure and does not allow root to ssh in anyway. I also didn't see >any other portscans on any other ports. What it seems to me is that >they were trying to use ssh1 to connect on ssh2 or something but who >knows. It has not happened since so I am not worried. > >-- >We are writing this e-mail to inform you that the mail server is down. >Please do not call the help desk for assistance. To see the progress of >any outage refer to your e-mail notifications. >Raul A. Gallegos - http://www.asmodean.net > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup Best regards and happy New Year, Darrell Access technology consulting / network and UNIX systems administration.