Port Details - Port 22

Aug 11 3,081 Aug 12 1,011 Aug 13 809 Aug 14 928 Aug 15 1,112 Aug 16 897 Aug 17 925 Aug 18 735 Aug 19 737 Aug 20 873 Aug 21 802 Aug 22 863 Aug 23 718 Aug 24 921 Aug 25 855 Aug 26 1,072 Aug 27 868 Aug 28 990 Aug 29 1,013 Aug 30 1,211 Aug 31 1,142 Sep 01 1,233 Sep 02 1,059 Sep 03 1,222 Sep 04 1,005 Sep 05 1,094 Sep 06 1,134 Sep 07 983 Sep 08 867 Sep 09 830 Sep 10 353 Aug 11 93,755 Aug 12 112,506 Aug 13 87,399 Aug 14 60,294 Aug 15 41,740 Aug 16 49,459 Aug 17 36,611 Aug 18 103,538 Aug 19 81,601 Aug 20 106,874 Aug 21 74,628 Aug 22 60,960 Aug 23 39,151 Aug 24 45,659 Aug 25 77,400 Aug 26 88,279 Aug 27 61,276 Aug 28 77,139 Aug 29 126,736 Aug 30 109,627 Aug 31 93,164 Sep 01 71,641 Sep 02 108,276 Sep 03 84,061 Sep 04 47,981 Sep 05 110,979 Sep 06 102,739 Sep 07 103,760 Sep 08 83,247 Sep 09 96,102 Sep 10 11,637
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpsshSSH Remote Login Protocol
udpsshSSH Remote Login Protocol
tcpAdoresshd[trojan] Adore sshd
tcpShaft[trojan] Shaft
udppcanywherePCAnywhere (deprecated)
[get complete service list]

User Comment

Submitted ByDate
Comment
Andrew Daviel2010-08-13 00:17:14
We have also seen a big spike, maybe 50x baseline, in the last week. Of a few sources I checked, most seemed to be running opensshd. I suspect Linux boxes compromised via the same password guessing tool. Attempts I have captured in the past (http://andrew.triumf.ca/ssh_pass_file2.html) are mostly against root, so I suggest at the least blocking root password logins ("PermitRootLogin without-password" in OpenSSH sshd_config). We have also seen an ssh/sshd trojan on Linux boxes, a number of which were compromised (CVE-2009-2692) using the unusually robust escalation exploit "linux-sendpage3". This trojan logged passwords in and out, which were then used to attack other machines and gain root in turn on unpatched ones. The recent port 22 spike is I believe unrelated.
pq2010-07-10 13:17:54
We have seen a huge amount off ssh attacks the last 2 weeks.
2010-06-18 02:32:33
Anyone else seeing a HUGE number of SSH brute force attacks in the last 24 hours?
2009-12-10 18:42:05
got a huge load of scans throughout the last weeks (up to 65000 entries an hour) luckily my boxes are NOT accessible via keyboard enabled authentication or PAM. ;)
2009-10-04 18:45:22
The game Project Torque generate some requests on this port when a race is about to start. It seem to work fine when the request are blocked. At this moment, it is currently in "Closed Beta" state, but shortly it will become "Open Beta". The closed beta started at the begining of august.
pophop2009-10-04 18:45:22
We had an ssh worm pop a box in mid October. Logs showed ssh scanning starting in late September through October. Box had trivial password for exposed service account. Appears that human attackers logged in day after worm and set box up as port 22 scanner. Ran for two days before we caught. Human logins came from Romania. This is what's intersting - we were seeing RST ACKS in ALL our logs globally as if we had been sending SYN packets from all our global IP space to a site in Texas (US). "Ronaldsrecordclub" - 67.15.83.36. Now moved. As if our space was being used in a DOS. Sample: "Deny TCP (no connection) from 67.15.83.36/22 to xxx.xxx.xxx.xxx/3072 flags RST ACK on interface outside" Source port was consistently 3072. Ronaldsrecord google hit talks of its site's "PayPal" enviroment being developed by its "Romanian Development" team. Activity stops in mid-October - about the time SSH worm hit us. I find it odd that we would see this RST ACK activity to port 22 AND have "Romania" associated with both things. Curious if the RST ACK was a DOS or a scan of some sort.
Chris Anderson2007-04-17 02:08:43
I have seen this same attack on a server on my network. A weak password was expoited and a ssh scanner was downloaded from a .ro site. Also included was a list of common usernames and passwords. It appears that it was just checking to see if the password was the same as the username. Once in it starting trying to brute force the root password.
Johannes Ullrich2004-11-10 22:04:01
frequently scanned to look for accounts with weak passwords.
Jason Testart2004-11-09 18:00:01
We've been seeing an extreme amount of SSH scanning at our site over the past week, and just this weekend found a compromised Linux box doing the scanning. My investigation into the compromise found the usual stuff (sniffer, ssh backdoor, irc stuff, etc..) but I found a couple of things particularly interesting: - tools for exploting samba 2.2.x - what looks like a SYN scanner, binary named "ss" with a cover script with command line options for port "22" and a speed setting "6". - a binary named "lol". From what I can tell from the "strings" command and what we've seen, the binary does a dictionary attack to common accounts such as "root" and "test" using SSH. The tools used were downloaded from sites in the .ro domain (Romania?).
Add a comment

CVE Links

CVE #Description
CVE-2001-144 "CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow."
CVE-2002-390 "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized