Re: Strange SSHD Behaviour

From: Seth Arnold (sarnold@wirex.com)
Date: 09/12/02


Date: Wed, 11 Sep 2002 15:09:04 -0700
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux <focus-linux@securityfocus.com>


On Thu, Sep 12, 2002 at 12:55:51AM +0500, Naseer Bhatti wrote:
> Sep 10 01:15:33 redy sshd[5332]: scanned from 66.x.x.253 with
> SSH-1.0-SSH_Version_Mapper_Servers_Alive_3.1.1043. Don't panic.
[...]
> is this some sort of scanning or internal sshd behavior? I am using Open SSH
> 3.4 with Protocol 2 only on Linux. I am getting this from mainly 2 IPs on
> the same network I am. Any help would be appreciated.

This is more or less normal behavior. It means someone on your network
is scanning your ssh daemon to see what version you are running.
Normally, system administrators run this every once in a while to make
sure their users don't have vulnerable ssh daemons running.

http://www.citi.umich.edu/u/provos/ssh/ for the most popular ssh
scanning program.

Just make sure you are up-to-date with openssh patches and don't panic. :)

-- 
It seems the power has been robbed from the founding fathers and is now
firmly in the hand of the funding fathers -- Rik van Riel