Re: SSH attacks - anyone else seen these?

From: James Lay <jlay@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Oct 2007 13:34:18 -0600

On 10/16/07 11:06 AM, "Tim" <secnews@xxxxxxxxx> wrote:

I've recently noticed this in my logs:

Oct 15 15:30:04 mysrv sshd[9563]: Bad protocol version
identification 'POST /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..
%01/..%01/..%01/..%01/..%01/..%01/..%01' from 59.106.20.158

Oct 1 17:14:51 mysrv sshd[9915]: Bad protocol version
identification '\377\364\377\375\006\377\364\377\375\006\377\364\377\375\006'
from 84.58.87.123
Oct 1 17:15:13 airrocket sshd[11982]: Bad protocol version identification ''
from 84.58.87.123

Did anyone else notice similar things? Does anyone know what vulnerability
they are attacking?

Thanks,

Nothing in my logs..just out of curiosity, are you running sshd with
protocol version 1, 2, or both?

James

Follow-Ups:
- Re: SSH attacks - anyone else seen these?
  - From: Tim

References:
- SSH attacks - anyone else seen these?
  - From: Tim

Prev by Date: Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module
Next by Date: Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA Appliances
Previous by thread: Re: SSH attacks - anyone else seen these?
Next by thread: Re: SSH attacks - anyone else seen these?
Index(es):
- Date
- Thread

Relevant Pages

Re: [Full-disclosure] defining 0day
... You do an excellent job of cross list carbon copy attacking (clcca ... is new 0day attack terminology), ... vulnerability" or "fully disclosed vulnerability". ...
(Full-Disclosure)
Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
... but the vulnerability still remains. ... the exploit path would involve attacking your host operating ... I would think the point of mitigating the risk is to buy you time to fix the ... assumes that Longhorn will fix the vulnerability. ...
(Firewall-Wizards)