Re: SSH CRC32? What am I seeing?

From: Jose Nazario (joseat_private)
Date: Wed Nov 21 2001 - 09:19:59 PST

  • Next message: Johannes Verelst: "Re: new trojan?"

    On Wed, 21 Nov 2001, Shaun Dewberry wrote:
    
    > Received these strange probes this afternoon, can anyone tell me what
    > they are?
    
    how many?
    
    > (I suspect it is SSH CRC32 exploit, but need confirmation).
    
    as discussed by dittrich you'd see a string of ssh connections as the
    known exploits attempt to work the addressing on your box via the crc32
    ssh exploit:
    
    http://archives.neohapsis.com/archives/incidents/2001-11/0040.html
    
    > I found this in my logs right before a couple of cgi-bin exploit
    > attempts. (my host is caffeine.co.za)
    
    that suggests an automated scanner like nessus or something along those
    lines.
    
    > Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification
    > '^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit  ' from
    > 196.11.239.43
    > Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection
    > reset by peer
    
    control C (^C) makes me think its a manual probe on sshd to get the
    version number (and look for a target maybe for the crc32 exploit).
    
    doesn't look like the ssh crc32 attack on this data, to me at least.
    
    ____________________________
    jose nazario						     joseat_private
    	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
    				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 09:14:22 PST