('binary' encoding is not supported, stored as-is) In-Reply-To: <1395.136.159.104.19.1038501745.squirrelat_private> I wouldn't worry too much about this. These type of log events are usually symbolic of some type of network scanner or brute force scanner. You can duplicate a similar log event by using nc or telnet and connecting to a 'ssh' server ( nc -vv hostAddress 22 ). However, I would be concerned with whatever service you have listening that are identified in you logs before the ip address of the remote connection ( ie /bin/id and /usr/bin/id ...). I would check to see what these services are and if you don't need them I would disable them as it may be possible that someone is trying to exploit that service. jm >Received: (qmail 1361 invoked from network); 29 Nov 2002 23:47:17 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 29 Nov 2002 23:47:17 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 6F4ECA30F8; Fri, 29 Nov 2002 16:38:26 -0700 (MST) >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 9369 invoked from network); 28 Nov 2002 16:22:05 -0000 >From: Randy Millis <rmillislat_private> >Message-ID: <1395.136.159.104.19.1038501745.squirrelat_private> >Date: Thu, 28 Nov 2002 09:42:25 -0700 (MST) >Subject: Bad protocol version identification '^V^C^A' >To: <incidentsat_private> >X-Priority: 3 >Importance: Normal >X-Mailer: SquirrelMail (version 1.2.8) >MIME-Version: 1.0 >Content-Type: text/plain; charset=iso-8859-1 >Content-Transfer-Encoding: 8bit > >Had the following entries in brought to my attention by LogWatch this >morning. > >Can anyone guide me to what they might be and if I need to be concerned >about them? > >Thanks. > > --------------------- SSHD Begin ------------------------ > >**Unmatched Entries** >Bad protocol version identification '^V^C^A' from xxx.xxx.xxx.xxx >Bad protocol version identification '^V^C' from xxx.xxx.xxx.xxx >Bad protocol version identification '`' from xxx.xxx.xxx.xxx >Bad protocol version identification '`/bin/id` #' from xxx.xxx.xxx.xxx >Bad protocol version identification '`/usr/bin/id` #' from >xxx.xxx.xxx.xxx > > > ---------------------- SSHD End ------------------------- > > > >-------------------------------------------------------------------------- -- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 16:26:58 PST