Security Incidents mailing list archives

SSH CRC32? What am I seeing?

From: "Shaun Dewberry" <shaund () verang co za>
Date: Wed, 21 Nov 2001 15:49:11 +0200

Hi All,

Received these strange probes this afternoon, can anyone tell me what they
are? (I suspect it is SSH CRC32 exploit, but need confirmation). I found
this in my logs right before a couple of cgi-bin exploit attempts. (my host
is caffeine.co.za)

Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification
'^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit  ' from
196.11.239.43
Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection
reset by peer

Thanks
Shaun Dewberry.

VERANG (Pty) Ltd
http://www.verang.co.za
Tel: +27 11 395 3310
Fax: +27 11 395 3971
Mobile: +27 83 415 5201

 .*.
 /V\
(/ \)
(   )
^^-^^


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SSH CRC32? What am I seeing? Shaun Dewberry (Nov 21)
- Re: SSH CRC32? What am I seeing? SecLists (Nov 21)
- Re: SSH CRC32? What am I seeing? Jose Nazario (Nov 21)
  - Re: SSH CRC32? What am I seeing? Martin Roesch (Nov 21)