Re: SSH CRC32? What am I seeing?

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Wed, 21 Nov 2001, Shaun Dewberry wrote:

> Received these strange probes this afternoon, can anyone tell me what
> they are?

how many?

> (I suspect it is SSH CRC32 exploit, but need confirmation).

as discussed by dittrich you'd see a string of ssh connections as the
known exploits attempt to work the addressing on your box via the crc32
ssh exploit:

http://archives.neohapsis.com/archives/incidents/2001-11/0040.html

> I found this in my logs right before a couple of cgi-bin exploit
> attempts. (my host is caffeine.co.za)

that suggests an automated scanner like nessus or something along those
lines.

> Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification
> '^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit  ' from
> 196.11.239.43
> Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection
> reset by peer

control C (^C) makes me think its a manual probe on sshd to get the
version number (and look for a target maybe for the crc32 exploit).

doesn't look like the ssh crc32 attack on this data, to me at least.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com