Full Disclosure mailing list archives

Re: OpenSSH attack attempt?

From: Raven Alder <raven () oneeyedcrow net>
Date: Thu, 25 Mar 2004 04:38:32 -0500

Heya --

Quoth Honza Vlach (Mon, Mar 22, 2004 at 10:40:12AM +0100):

2004-03-22 09:01:37.781326500 Failed keyboard-interactive for illegal
user xjunr01 from ::ffff:212.65.252.97 port 61991 ssh2
2004-03-22 09:01:37.781379500 Disconnecting: Too many authentication
failures for xjunr01
2004-03-22 09:02:05.879614500 Bad protocol version identification
'\377\373\037\ 377\373
\377\373\030\377\373'\377\375\001\377\373\003\377\375\003sdf' from
::fff f:212.65.252.97
2004-03-22 09:02:36.287775500 Bad protocol version identification
'\377\373\037\ 377\373
\377\373\030\377\373'\377\375\001\377\373\003\377\375\003' from
::ffff:2 12.65.252.97

Is it some attack attempt? I've checked both full-disclosure archive and
google, unfortunately haven't found anything usable.

 
        My guess is that it is either a program gone horribly wrong or
an attack attempt.  Maybe an attack attempt gone horribly wrong.  [grin]
Check out this link, which is vaguely similar:

http://seclists.org/lists/incidents/2002/Dec/0001.html

Instead of "id", though, you have the above strings after the failed login.
That seems somewhat related to dicom's vterm link.cpp.  Original URL is
down, here's the Google-cached version:

http://216.239.51.104/search?q=cache:Lh1EMLqmcPIJ:imrad.ucdmc.ucdavis.edu/DevelopersCut/dicom/vterm/link.cpp+%5C377%5C375%5C001&hl=en&ie=UTF-8

Your odd sequence is labeled as the "magic init string" for telnet.

BOOL    TelnetLink      ::      Open( char      *ip )
        {
        if ( !SocketTermIO :: Open (ip, "23"))
                return ( FALSE );
        
        // send the magic init string for telnet sessions.. note.. some
        // garbage will come back
        //SocketTermIO :: SendBinary (
        //"\377\375\001\377\375\003\377\374\030", 9 );
        //SocketTermIO :: SendBinary (
        //"\377\375\003\377\373\030\377\366", 8);
        SocketTermIO :: SendBinary ((unsigned char *)
"\377\375\001\377\375\003\377\366", 8);
//      SocketTermIO :: SendBinary (
//      "\377\373\030\377\372\030\000vt100\377\360", 9 + 5);
        //SocketTermIO :: SendBinary ( "\377\375\001", 3);
                return ( TRUE );
        }

        So perhaps their program is just screwing up and trying to
prepend a variant of this magic init string, but to 22 rather than 23.

        You'd probably have better luck posting things like this to
incidents () incidents org than to Full Disclosure, though.

Cheers,
Raven

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

OpenSSH attack attempt? Honza Vlach (Mar 22)
- Re: OpenSSH attack attempt? ja6.com (Mar 22)
- Re: OpenSSH attack attempt? Raven Alder (Mar 25)