Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SSH scans, source port 80? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH scans, source port 80?

Got an email today from a reader named Justin (thank you Justin) who asks us if we have seen alot of SSH scans with a source port of 80 before.  Of course, the answer is yes, but only in test cases!

I've never actually seen this take place on the internet, (well, yes, I have, but very very rarely), and of course I can cause it with certain nmap settings.  But this kind of scanning isn't commonplace, afaik, to an automated tool or script kiddie run. 

Any information that anyone could provide so that we can help out Justin, and of course the rest of the readers of the Internet Storm Center would be much appreciated.  Please write in via that Contact link at the top of our home page.  Thank you.


Joel Esler


454 Posts
Jun 23rd 2008

Sign Up for Free or Log In to start participating in the conversation!