Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog

From: Matthew D. Close (mcloseat_private)
Date: Sun Dec 23 2001 - 17:44:21 PST

Next message: Loki: "NT Compromise -- Update -- SRC PORT: 53 traffic"

Previous message: Kneppers: "SNMP scans, DoS and a VIP crash"
In reply to: Steffen Dettmer: "some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
Next in thread: Jose Nazario: "Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
Reply: Jose Nazario: "Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The SSH-1.0-SSH_Version_Mapper is from a scanning tool called scanssh.
You can find it at http://www.monkey.org/~provos/scanssh/

I've seen a substantial increase in ssh scans over the last month or so.
Probably a result of the recent vulnerablities listed on CERT.

There seem to be two types of scanning going on, one that looks like
scanssh.  Then another that's a SYN scan, with a normal reconnect to port
22 if the first scan found anything open.

matthew

On Sat, 22 Dec 2001, Steffen Dettmer wrote:

>
> Hi,
>
> I found the following in syslogs on some servers (running
> OpenSSH):
>
> sshd[29575]: scanned from ::ffff:62.154.180.3 with
> 	SSH-1.0-SSH_Version_Mapper.  Don't panic.
>
> and on nearly every server things like:
>
> sshd[13669]: connect from rootat_private
> sshd[13669]: log: Could not reverse map address 62.154.180.3.
>
> Well, just looks like a portscan. There are a lot fo them these
> days. But I have a few old SuSE hosts here. I've upgraded the
> installed SSH with the latest patches. Those hosts logged:
>
> sshd[13669]: fatal: Local: Your ssh version is too old and is no
> 	longer supported.  Please install a newer version.
>
> Is this just a message for some unsupported protocol version (or
> if the scanner don't use any protocol string after connect)?
> Or is it anything to worry about? (Yes, complete update is
> already sheduled :))
>
> Anyway, this may be a large scan which just hit my (small)
> network.
>
> Does anyone knows somethink about SSH-1.0-SSH_Version_Mapper?
>
> BTW, merry chrismas and a happy new year.
>
> oki,
>
> Steffen
>
> --
> Dieses Schreiben wurde maschinell erstellt,
> es trägt daher weder Unterschrift noch Siegel.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Loki: "NT Compromise -- Update -- SRC PORT: 53 traffic"
Previous message: Kneppers: "SNMP scans, DoS and a VIP crash"
In reply to: Steffen Dettmer: "some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
Next in thread: Jose Nazario: "Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
Reply: Jose Nazario: "Re: some "scanned with SSH-1.0-SSH_Version_Mapper. Don't panic." in syslog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 09:37:10 PST