More ssh attempts

From: Marco Slaviero (slavieroat_private)
Date: Thu Nov 22 2001 - 01:24:43 PST

Next message: gabriel rosenkoetter: "Re: More ssh attempts"

Previous message: Devdas Bhagat: "Re: Questions = Thanks"
In reply to: Rob Keown: "RE: MSLV.exe"
Next in thread: gabriel rosenkoetter: "Re: More ssh attempts"
Reply: gabriel rosenkoetter: "Re: More ssh attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

Running SSH-1.99-OpenSSH_2.5.2p2, I discovered some unusual entries in the
logs.

Nov 16 01:27:40 abraham sshd[19402]: Accepted password for s9901549 from
196.14.84.59 port 4448
Nov 16 01:28:13 abraham sshd[19404]: Accepted password for s9901549 from
196.14.84.59 port 4452
Nov 16 01:28:21 abraham sshd[19406]: Accepted password for s9901549 from
196.14.84.59 port 4454
Nov 16 01:28:28 abraham sshd[19408]: Accepted password for s9901549 from
196.14.84.59 port 4456
Nov 16 01:28:28 abraham sshd[19409]: Accepted password for s9901549 from
196.14.84.59 port 4458
Nov 16 01:28:28 abraham sshd[19410]: Accepted password for s9901549 from
196.14.84.59 port 4460
Nov 16 01:28:29 abraham sshd[19411]: Accepted password for s9901549 from
196.14.84.59 port 4462
Nov 16 01:28:36 abraham sshd[19417]: Disconnecting: Protocol error: expected
packet type 3, got 24
Nov 16 01:28:37 abraham sshd[19416]: Accepted password for s9901549 from
196.14.84.59 port 4464
Nov 16 01:28:37 abraham sshd[19418]: Unknown message during authentication:
type 24
Nov 16 01:28:37 abraham sshd[19418]: Connection closed by 196.14.84.59
Nov 16 01:28:37 abraham sshd[19420]: Did not receive identification string
from 196.14.84.59.
Nov 16 01:28:37 abraham sshd[19419]: Disconnecting: Protocol error: expected
packet type 3, got 24
Nov 16 01:28:38 abraham sshd[19421]: Did not receive identification string
from 196.14.84.59.
Nov 16 01:28:39 abraham sshd[19422]: Accepted password for s9901549 from
196.14.84.59 port 4476
(There are a couple of pages of this)

The user has restricted (sftp, and a change passwd script) access to the box.
It does not seem to be the crc32 attack. The user logged on about 136 time in
an hour, and disconnected almost immediately. Anyone seen this before?

Regards
Marco Slaviero

"And I'm right. I'm always right, but in this case I'm just a bit more
 right than I usually am."
Linus Torvalds


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: gabriel rosenkoetter: "Re: More ssh attempts"
Previous message: Devdas Bhagat: "Re: Questions = Thanks"
In reply to: Rob Keown: "RE: MSLV.exe"
Next in thread: gabriel rosenkoetter: "Re: More ssh attempts"
Reply: gabriel rosenkoetter: "Re: More ssh attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 22 2001 - 08:32:56 PST