Security Incidents mailing list archives
Re: Bad protocol version identification '^V^C^A'
From: Matt Harris <mdh () unix si edu>
Date: Mon, 02 Dec 2002 09:51:34 -0500
I believe a known issue regarding the ssh.com SSH server was released within the past two or three weeks - it's probably being scanned for pretty heavily. Details were on bugtraq. This is probably what this is, if you're running OpenSSH you should be fine. There's also that pesky problem with OpenSSL which affected OpenSSH on a number of platforms compiled using the vulnerable OpenSSL, it could be a scan looking for that as well. I get scanned a good 10 unique times a day, I would assume most people get scanned quite frequently as well, so as long as there're no signs of a system compromise, you shouldn't lose too much hair over it. Go through the motions, check the box for SSHD core files, etc etc, and make sure the box is safe just to be sure. Never does hurt. :-) Also check to be sure that you're using the latest stable versions of everything, especially your SSH servers and anything else [web servers, etc] that may use OpenSSL and make sure that OpenSSL itself is updated, and any binaries linked with it are suitably recompiled to use the correct and safe version and all that good stuff. Bojan Zdrnja wrote:
I suppose this is plain SSHD buffer overflow attack, followed by 'id' commands. Attacker tryed buffer overflow (which didn't succeed, according to logs) and after that he tried to execute 'id' commands to see if his attack worked (ie. If he managed to elevate his privileges). IIRC, SSH expects protocol identification as first data on the channel - attacker tried overflow and then 2 commands which SSHD interpreted as bad protocol identification.In-Reply-To: <1395.136.159.104.19.1038501745.squirrel () webmail enel ucalgary ca> I wouldn't worry too much about this. These type of log events are usually symbolic of some type of network scanner or brute force scanner. You can duplicate a similar log event by using nc or telnet and connecting to a 'ssh' server ( nc -vv hostAddress 22 ). However, I would be concerned with whatever service you have listening that are identified in you logs before the ip address of the remote connection ( ie /bin/id and /usr/bin/id ...). I would check to see what these services are and if you don't need them I would disable them as it may be possible that someone is trying to exploit that service. jm
Had the following entries in brought to my attention byLogWatch thismorning. Can anyone guide me to what they might be and if I need tobe concernedabout them?
-- /* * * Matt Harris - Senior UNIX Systems Engineer * Smithsonian Institution, OCIO * */ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Bad protocol version identification '^V^C^A' jm (Nov 30)
- RE: Bad protocol version identification '^V^C^A' Bojan Zdrnja (Dec 01)
- Re: Bad protocol version identification '^V^C^A' Matt Harris (Dec 02)
- Re: Bad protocol version identification '^V^C^A' D.C. van Moolenbroek (Dec 01)
- RE: Bad protocol version identification '^V^C^A' Bojan Zdrnja (Dec 01)