Security Incidents mailing list archives

More ssh attempts

From: Marco Slaviero <slaviero () ibi co za>
Date: Thu, 22 Nov 2001 11:24:43 +0200 (SAST)

Hi

Running SSH-1.99-OpenSSH_2.5.2p2, I discovered some unusual entries in the
logs.

Nov 16 01:27:40 abraham sshd[19402]: Accepted password for s9901549 from
196.14.84.59 port 4448
Nov 16 01:28:13 abraham sshd[19404]: Accepted password for s9901549 from
196.14.84.59 port 4452
Nov 16 01:28:21 abraham sshd[19406]: Accepted password for s9901549 from
196.14.84.59 port 4454
Nov 16 01:28:28 abraham sshd[19408]: Accepted password for s9901549 from
196.14.84.59 port 4456
Nov 16 01:28:28 abraham sshd[19409]: Accepted password for s9901549 from
196.14.84.59 port 4458
Nov 16 01:28:28 abraham sshd[19410]: Accepted password for s9901549 from
196.14.84.59 port 4460
Nov 16 01:28:29 abraham sshd[19411]: Accepted password for s9901549 from
196.14.84.59 port 4462
Nov 16 01:28:36 abraham sshd[19417]: Disconnecting: Protocol error: expected
packet type 3, got 24
Nov 16 01:28:37 abraham sshd[19416]: Accepted password for s9901549 from
196.14.84.59 port 4464
Nov 16 01:28:37 abraham sshd[19418]: Unknown message during authentication:
type 24
Nov 16 01:28:37 abraham sshd[19418]: Connection closed by 196.14.84.59
Nov 16 01:28:37 abraham sshd[19420]: Did not receive identification string
from 196.14.84.59.
Nov 16 01:28:37 abraham sshd[19419]: Disconnecting: Protocol error: expected
packet type 3, got 24
Nov 16 01:28:38 abraham sshd[19421]: Did not receive identification string
from 196.14.84.59.
Nov 16 01:28:39 abraham sshd[19422]: Accepted password for s9901549 from
196.14.84.59 port 4476
(There are a couple of pages of this)

The user has restricted (sftp, and a change passwd script) access to the box.
It does not seem to be the crc32 attack. The user logged on about 136 time in
an hour, and disconnected almost immediately. Anyone seen this before?

Regards
Marco Slaviero

"And I'm right. I'm always right, but in this case I'm just a bit more
 right than I usually am."
Linus Torvalds


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

MSLV.exe Rob Keown (Nov 21)
- <Possible follow-ups>
- RE: MSLV.exe Rob Keown (Nov 21)
  - More ssh attempts Marco Slaviero (Nov 22)
    - Re: More ssh attempts gabriel rosenkoetter (Nov 22)
    - Re: More ssh attempts Homer Wilson Smith (Nov 22)
    - Re: More ssh attempts Marco Slaviero (Nov 23)