Security Incidents mailing list archives

Re: remote openssh probe or crack?.

From: Justin Coffey <justin () websocietyinc com>
Date: Wed, 12 Jun 2002 18:09:23 -0700 (PDT)


All that's telling you is that someone connected to the port and didn't
really do anything.  I can replicate just by telneting to the port and
closing the connection.

I wouldn't be worried as long as you're not running an exploitable version
of OpenSSH (>3.0.1, I think), and you have protocol version 1 disabled.
Better yet, don't permit root logins, either.

Of course, I'd try to figure out where those IPs are from.

                                -Justin

Hello,

I got these lines in "messages" in a RedHat 6.2 box:

Jun 10 09:51:57 server sshd[9100]: Did not receive identification string
from 64.90.65.19
Jun 10 09:52:06 server sshd[9117]: Did not receive identification string
from 64.90.65.19
Jun 11 03:07:56 server sshd[8684]: Did not receive identification string
from 216.127.64.48
Jun 11 03:07:56 server sshd[8688]: Did not receive
identification string from 216.127.64.48
Jun 12 08:14:03 server sshd[22853]: Did not receive identification string
from 61.84.218.135
Jun 12 08:14:05 server sshd[22871]: Did not receive
identification string from 61.84.218.135

I guess they're related to the latest openssh vulnerability, but I don't
know if this could be caused by a succesful remote exploitation or if this
is just a probe/scan. Any comments on this are appreciated.


Thank you.
Rodolfo.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


------------------------------------------------------------------------
Justin Coffey                                        858.535.9332 x 2025
Homes.com, Inc.                                         http://homes.com
------------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

remote openssh probe or crack?. Lic. Rodolfo Gonzalez Gonzalez (Jun 12)
- Re: remote openssh probe or crack?. Josha Bronson (Jun 13)
- Odd traffic on port 7002 need help figuring it out. steveg (Jun 13)
  - Re: Odd traffic on port 7002 need help figuring it out. nito (Jun 13)
    - Re: Odd traffic on port 7002 need help figuring it out. steveg (Jun 13)
- Re: remote openssh probe or crack?. Justin Coffey (Jun 13)
- Re: remote openssh probe or crack?. Oblek (Jun 13)
- Re: remote openssh probe or crack?. Skip Carter (Jun 13)
  - Re: remote openssh probe or crack?. Nate Campi (Jun 13)
- Re: remote openssh probe or crack?. woof (Jun 13)
- Re: remote openssh probe or crack?. Christian Vogel (Jun 13)
- <Possible follow-ups>
- Re: remote openssh probe or crack?. m () rl206 org (Jun 13)
  - Re: remote openssh probe or crack?. Rich Henning (Jun 14)
  - Re: remote openssh probe or crack?. gabriel rosenkoetter (Jun 14)