Re: remote openssh probe or crack?.

From: Justin Coffey (justinat_private)
Date: Wed Jun 12 2002 - 18:09:23 PDT

Next message: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"

Previous message: NESTING, DAVID M (SBCSI): "RE: DSL Modem or Router Cracked?"
In reply to: Lic. Rodolfo Gonzalez Gonzalez: "remote openssh probe or crack?."
Next in thread: Oblek: "Re: remote openssh probe or crack?."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All that's telling you is that someone connected to the port and didn't
really do anything.  I can replicate just by telneting to the port and
closing the connection.

I wouldn't be worried as long as you're not running an exploitable version
of OpenSSH (>3.0.1, I think), and you have protocol version 1 disabled.
Better yet, don't permit root logins, either.

Of course, I'd try to figure out where those IPs are from.

				-Justin

> Hello,
>
> I got these lines in "messages" in a RedHat 6.2 box:
>
> Jun 10 09:51:57 server sshd[9100]: Did not receive identification string
> from 64.90.65.19
> Jun 10 09:52:06 server sshd[9117]: Did not receive identification string
> from 64.90.65.19
> Jun 11 03:07:56 server sshd[8684]: Did not receive identification string
> from 216.127.64.48
> Jun 11 03:07:56 server sshd[8688]: Did not receive
> identification string from 216.127.64.48
> Jun 12 08:14:03 server sshd[22853]: Did not receive identification string
> from 61.84.218.135
> Jun 12 08:14:05 server sshd[22871]: Did not receive
> identification string from 61.84.218.135
>
> I guess they're related to the latest openssh vulnerability, but I don't
> know if this could be caused by a succesful remote exploitation or if this
> is just a probe/scan. Any comments on this are appreciated.
>
>
> Thank you.
> Rodolfo.
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

------------------------------------------------------------------------
Justin Coffey					     858.535.9332 x 2025
Homes.com, Inc.						http://homes.com
------------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Previous message: NESTING, DAVID M (SBCSI): "RE: DSL Modem or Router Cracked?"
In reply to: Lic. Rodolfo Gonzalez Gonzalez: "remote openssh probe or crack?."
Next in thread: Oblek: "Re: remote openssh probe or crack?."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 13:16:37 PDT