Security Incidents mailing list archives
Re: SSH CRC32? What am I seeing?
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Wed, 21 Nov 2001 12:19:59 -0500 (EST)
On Wed, 21 Nov 2001, Shaun Dewberry wrote:
Received these strange probes this afternoon, can anyone tell me what they are?
how many?
(I suspect it is SSH CRC32 exploit, but need confirmation).
as discussed by dittrich you'd see a string of ssh connections as the known exploits attempt to work the addressing on your box via the crc32 ssh exploit: http://archives.neohapsis.com/archives/incidents/2001-11/0040.html
I found this in my logs right before a couple of cgi-bin exploit attempts. (my host is caffeine.co.za)
that suggests an automated scanner like nessus or something along those lines.
Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification '^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit ' from 196.11.239.43 Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection reset by peer
control C (^C) makes me think its a manual probe on sshd to get the version number (and look for a target maybe for the crc32 exploit). doesn't look like the ssh crc32 attack on this data, to me at least. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SSH CRC32? What am I seeing? Shaun Dewberry (Nov 21)
- Re: SSH CRC32? What am I seeing? SecLists (Nov 21)
- Re: SSH CRC32? What am I seeing? Jose Nazario (Nov 21)
- Re: SSH CRC32? What am I seeing? Martin Roesch (Nov 21)