Port Details - Port 22

Jan 10 811 Jan 11 914 Jan 12 847 Jan 13 900 Jan 14 837 Jan 15 850 Jan 16 794 Jan 17 3,385 Jan 18 2,784 Jan 19 931 Jan 20 904 Jan 21 2,834 Jan 22 2,303 Jan 23 884 Jan 24 905 Jan 25 966 Jan 26 952 Jan 27 892 Jan 28 907 Jan 29 870 Jan 30 902 Jan 31 927 Feb 01 986 Feb 02 832 Feb 03 813 Feb 04 803 Feb 05 829 Feb 06 899 Feb 07 873 Feb 08 814 Feb 09 425 Jan 10 94,993 Jan 11 52,212 Jan 12 89,116 Jan 13 49,307 Jan 14 45,348 Jan 15 43,722 Jan 16 50,525 Jan 17 29,747 Jan 18 66,766 Jan 19 101,057 Jan 20 86,692 Jan 21 94,634 Jan 22 43,586 Jan 23 96,745 Jan 24 75,361 Jan 25 27,986 Jan 26 80,904 Jan 27 57,216 Jan 28 63,766 Jan 29 39,463 Jan 30 38,024 Jan 31 91,293 Feb 01 58,571 Feb 02 87,248 Feb 03 72,106 Feb 04 84,466 Feb 05 96,588 Feb 06 29,295 Feb 07 54,238 Feb 08 83,882 Feb 09 16,451
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpsshSSH Remote Login Protocol
udpsshSSH Remote Login Protocol
tcpAdoresshd[trojan] Adore sshd
tcpShaft[trojan] Shaft
udppcanywherePCAnywhere (deprecated)
[get complete service list]

User Comment

Submitted ByDate
Comment
2009-12-10 18:42:05
got a huge load of scans throughout the last weeks (up to 65000 entries an hour) luckily my boxes are NOT accessible via keyboard enabled authentication or PAM. ;)
2009-10-04 18:45:22
The game Project Torque generate some requests on this port when a race is about to start. It seem to work fine when the request are blocked. At this moment, it is currently in "Closed Beta" state, but shortly it will become "Open Beta". The closed beta started at the begining of august.
pophop2009-10-04 18:45:22
We had an ssh worm pop a box in mid October. Logs showed ssh scanning starting in late September through October. Box had trivial password for exposed service account. Appears that human attackers logged in day after worm and set box up as port 22 scanner. Ran for two days before we caught. Human logins came from Romania. This is what's intersting - we were seeing RST ACKS in ALL our logs globally as if we had been sending SYN packets from all our global IP space to a site in Texas (US). "Ronaldsrecordclub" - 67.15.83.36. Now moved. As if our space was being used in a DOS. Sample: "Deny TCP (no connection) from 67.15.83.36/22 to xxx.xxx.xxx.xxx/3072 flags RST ACK on interface outside" Source port was consistently 3072. Ronaldsrecord google hit talks of its site's "PayPal" enviroment being developed by its "Romanian Development" team. Activity stops in mid-October - about the time SSH worm hit us. I find it odd that we would see this RST ACK activity to port 22 AND have "Romania" associated with both things. Curious if the RST ACK was a DOS or a scan of some sort.
Chris Anderson2007-04-17 02:08:43
I have seen this same attack on a server on my network. A weak password was expoited and a ssh scanner was downloaded from a .ro site. Also included was a list of common usernames and passwords. It appears that it was just checking to see if the password was the same as the username. Once in it starting trying to brute force the root password.
Johannes Ullrich2004-11-10 22:04:01
frequently scanned to look for accounts with weak passwords.
Jason Testart2004-11-09 18:00:01
We've been seeing an extreme amount of SSH scanning at our site over the past week, and just this weekend found a compromised Linux box doing the scanning. My investigation into the compromise found the usual stuff (sniffer, ssh backdoor, irc stuff, etc..) but I found a couple of things particularly interesting: - tools for exploting samba 2.2.x - what looks like a SYN scanner, binary named "ss" with a cover script with command line options for port "22" and a speed setting "6". - a binary named "lol". From what I can tell from the "strings" command and what we've seen, the binary does a dictionary attack to common accounts such as "root" and "test" using SSH. The tools used were downloaded from sites in the .ro domain (Romania?).
Add a comment

CVE Links

CVE #Description
CVE-2001-144 "CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow."
CVE-2002-390 "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized