Re: sshd: invalid public DH value
- From: J Jude <jmjudeb@xxxxxxxxx>
- Date: Tue, 15 Dec 2009 00:07:22 -0800
These messages only started appearing in the latest botnet ssh weak
user/password fishing expedition. I don't think the messages are from
a legitimate client.
Yes, they could be due to corrupted packets from one of the bots on a
weak connection, but I would like to hear if anybody can think of
other possibilities.
On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy
<ayampolskiy@xxxxxxxx> wrote:
Perhaps Diffie-Hellman key exchange algorithm fails due to packets being
corrupted?
----- Original Message -----
From: listbounce@xxxxxxxxxxxxxxxxx <listbounce@xxxxxxxxxxxxxxxxx>
To: secureshell@xxxxxxxxxxxxxxxxx <secureshell@xxxxxxxxxxxxxxxxx>
Sent: Mon Dec 14 14:16:31 2009
Subject: sshd: invalid public DH value
Has anybody seen these in their logs?
Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value
Any idea what they mean? We get lots of ssh probes, most of which can
be ignored, but I've never seen this sshd message before.
Could somebody be probing for a buffer overflow?
We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
kernel 2.6.24-26.
- Follow-Ups:
- Re: sshd: invalid public DH value
- From: Bob Rasmussen
- Re: sshd: invalid public DH value
- Prev by Date: Re: SSH Fingerprint
- Next by Date: Re: SSH Fingerprint
- Previous by thread: sshd: invalid public DH value
- Next by thread: Re: sshd: invalid public DH value
- Index(es):
