On Wed, 21 Nov 2001, Shaun Dewberry wrote: > Received these strange probes this afternoon, can anyone tell me what > they are? how many? > (I suspect it is SSH CRC32 exploit, but need confirmation). as discussed by dittrich you'd see a string of ssh connections as the known exploits attempt to work the addressing on your box via the crc32 ssh exploit: http://archives.neohapsis.com/archives/incidents/2001-11/0040.html > I found this in my logs right before a couple of cgi-bin exploit > attempts. (my host is caffeine.co.za) that suggests an automated scanner like nessus or something along those lines. > Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification > '^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit ' from > 196.11.239.43 > Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection > reset by peer control C (^C) makes me think its a manual probe on sshd to get the version number (and look for a target maybe for the crc32 exploit). doesn't look like the ssh crc32 attack on this data, to me at least. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 09:14:22 PST