Re: sshd brake-in attempts

From: Markus Friedl (markusat_private)
Date: Thu Dec 20 2001 - 08:21:49 PST

  • Next message: H C: "Re: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"

    On Thu, Dec 20, 2001 at 11:18:31AM +0000, Emil Popov wrote:
    > sshd[10858]: Connection from 211.218.166.200 port 2273
    > sshd[10858]: Did not receive ident string from 211.218.166.200.
    > sshd[12075]: Connection from 211.99.196.117 port 2520
    > sshd[12075]: Did not receive ident string from 211.99.196.117.
    > sshd[14033]: Connection from 212.46.97.60 port 4309
    > sshd[14033]: Did not receive ident string from 212.46.97.60.
    
    this is just a scan. try
    	telnet localhost 22
    	^]
    
    > And, there is no "Enabling compatibility mode for version 2" message
    > which is generated whenever I log in, so those clients seem to be trying
    > to login with protocol ver. 1.
    
    No, these clients don't try any protocol version since they don't
    send out what protocol they want to try, thus the
    	Did not receive ident string
    message.
    
    ssh works like this:
    	server -> client:	"SSH-protocol-software_version"
    	client -> server:	"SSH-protocol-software_version"
    	server <-> client:	binary packet based protocol
    
    In your case the client just closes the connection.
    
    > There is one more strange thing, that i started seeng roughly when
    > the sshd fuss came out:
    > sshd[25774]: Received disconnect: 11: All open channels closed
    > Would someone explain what exactly this message means?
    
    This is just a message from the client. Nothing special.
    
    -m
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 08:28:23 PST