Full Disclosure mailing list archives
Re: OpenSSH attack attempt?
From: Raven Alder <raven () oneeyedcrow net>
Date: Thu, 25 Mar 2004 04:38:32 -0500
Heya -- Quoth Honza Vlach (Mon, Mar 22, 2004 at 10:40:12AM +0100):
2004-03-22 09:01:37.781326500 Failed keyboard-interactive for illegal user xjunr01 from ::ffff:212.65.252.97 port 61991 ssh2 2004-03-22 09:01:37.781379500 Disconnecting: Too many authentication failures for xjunr01 2004-03-22 09:02:05.879614500 Bad protocol version identification '\377\373\037\ 377\373 \377\373\030\377\373'\377\375\001\377\373\003\377\375\003sdf' from ::fff f:212.65.252.97 2004-03-22 09:02:36.287775500 Bad protocol version identification '\377\373\037\ 377\373 \377\373\030\377\373'\377\375\001\377\373\003\377\375\003' from ::ffff:2 12.65.252.97 Is it some attack attempt? I've checked both full-disclosure archive and google, unfortunately haven't found anything usable.
My guess is that it is either a program gone horribly wrong or an attack attempt. Maybe an attack attempt gone horribly wrong. [grin] Check out this link, which is vaguely similar: http://seclists.org/lists/incidents/2002/Dec/0001.html Instead of "id", though, you have the above strings after the failed login. That seems somewhat related to dicom's vterm link.cpp. Original URL is down, here's the Google-cached version: http://216.239.51.104/search?q=cache:Lh1EMLqmcPIJ:imrad.ucdmc.ucdavis.edu/DevelopersCut/dicom/vterm/link.cpp+%5C377%5C375%5C001&hl=en&ie=UTF-8 Your odd sequence is labeled as the "magic init string" for telnet. BOOL TelnetLink :: Open( char *ip ) { if ( !SocketTermIO :: Open (ip, "23")) return ( FALSE ); // send the magic init string for telnet sessions.. note.. some // garbage will come back //SocketTermIO :: SendBinary ( //"\377\375\001\377\375\003\377\374\030", 9 ); //SocketTermIO :: SendBinary ( //"\377\375\003\377\373\030\377\366", 8); SocketTermIO :: SendBinary ((unsigned char *) "\377\375\001\377\375\003\377\366", 8); // SocketTermIO :: SendBinary ( // "\377\373\030\377\372\030\000vt100\377\360", 9 + 5); //SocketTermIO :: SendBinary ( "\377\375\001", 3); return ( TRUE ); } So perhaps their program is just screwing up and trying to prepend a variant of this magic init string, but to 22 rather than 23. You'd probably have better luck posting things like this to incidents () incidents org than to Full Disclosure, though. Cheers, Raven _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenSSH attack attempt? Honza Vlach (Mar 22)
- Re: OpenSSH attack attempt? ja6.com (Mar 22)
- Re: OpenSSH attack attempt? Raven Alder (Mar 25)