On Wed, Jun 12, 2002 at 09:33:27PM -0700, Skip Carter wrote: > > > > > I got these lines in "messages" in a RedHat 6.2 box: > > > > Jun 10 09:51:57 server sshd[9100]: Did not receive identification string > > from 64.90.65.19 > > Jun 10 09:52:06 server sshd[9117]: Did not receive identification string > > from 64.90.65.19 > > Jun 11 03:07:56 server sshd[8684]: Did not receive identification string > > from 216.127.64.48 > > Jun 11 03:07:56 server sshd[8688]: Did not receive > > identification string from 216.127.64.48 > > Jun 12 08:14:03 server sshd[22853]: Did not receive identification string > > from 61.84.218.135 > > Jun 12 08:14:05 server sshd[22871]: Did not receive > > identification string from 61.84.218.135 > > > > I guess they're related to the latest openssh vulnerability, but I don't > > know if this could be caused by a succesful remote exploitation or if this > > is just a probe/scan. Any comments on this are appreciated. > > This is probably just a probe designed to find and wake up your sshd server > and > identify which one it is from the response. Right. telnet to port 22 and disconnect without typing anything, you'll get this in your logs. The start of every ssh session involves a plaintext identification of the version running. If OpenSSH doesn't see the protocol being obeyed, it logs it. -- "I had a fortune cookie the other day and it said: 'Outlook not so good'. I said: 'Sure, but Microsoft ships it anyway'."
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 21:42:44 PDT