Re: SSH CRC32? What am I seeing?

From: Martin Roesch (roeschat_private)
Date: Wed Nov 21 2001 - 13:03:52 PST

Next message: Steve: "RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer"

Previous message: hush.little.babyat_private: "[ALERT] Remote File Execution By Web or Mail: Internet Explorer"
In reply to: Jose Nazario: "Re: SSH CRC32? What am I seeing?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are Snort signatures to pick up this attack if you're so inclined,
check out http://www.snort.org

     -Marty

Jose Nazario wrote:
> 
> On Wed, 21 Nov 2001, Shaun Dewberry wrote:
> 
> > Received these strange probes this afternoon, can anyone tell me what
> > they are?
> 
> how many?
> 
> > (I suspect it is SSH CRC32 exploit, but need confirmation).
> 
> as discussed by dittrich you'd see a string of ssh connections as the
> known exploits attempt to work the addressing on your box via the crc32
> ssh exploit:
> 
> http://archives.neohapsis.com/archives/incidents/2001-11/0040.html
> 
> > I found this in my logs right before a couple of cgi-bin exploit
> > attempts. (my host is caffeine.co.za)
> 
> that suggests an automated scanner like nessus or something along those
> lines.
> 
> > Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification
> > '^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit  ' from
> > 196.11.239.43
> > Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection
> > reset by peer
> 
> control C (^C) makes me think its a manual probe on sshd to get the
> version number (and look for a target maybe for the crc32 exploit).
> 
> doesn't look like the ssh crc32 attack on this data, to me at least.
> 
> ____________________________
> jose nazario                                                 joseat_private
>                      PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
>                                        PGP key ID 0xFD37F4E5 (pgp.mit.edu)
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roeschat_private - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steve: "RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer"
Previous message: hush.little.babyat_private: "[ALERT] Remote File Execution By Web or Mail: Internet Explorer"
In reply to: Jose Nazario: "Re: SSH CRC32? What am I seeing?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 14:49:54 PST