sshd brake-in attempts

From: Emil Popov (emo@ds.primasoft.bg)
Date: 12/20/01

Previous message: Glenn Forbes Fleming Larratt: "Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Next in thread: Markus Friedl: "Re: sshd brake-in attempts"
Reply: Markus Friedl: "Re: sshd brake-in attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 20 Dec 2001 11:18:31 +0000
From: Emil Popov <emo@ds.primasoft.bg>
To: incidents@securityfocus.com

Hi'ya guys,

I have been seeing some strange entries in my authlog
and I'm pretty sure these are ssh brake-in attempts.
As far as i understand the issue, those attempts did not
result in a system compromise, but anyway I really need
your advice on this.

Facts:
ds% uname -a
OpenBSD ds 2.8 GENERIC#399 i386

ds% sshd -v
sshd: illegal option -- v
sshd version OpenSSH_2.3.0
BTW. only protocol version 2 is allowed.

Log Entries:
sshd[10858]: Connection from 211.218.166.200 port 2273
sshd[10858]: Did not receive ident string from 211.218.166.200.
sshd[12075]: Connection from 211.99.196.117 port 2520
sshd[12075]: Did not receive ident string from 211.99.196.117.
sshd[14033]: Connection from 212.46.97.60 port 4309
sshd[14033]: Did not receive ident string from 212.46.97.60.

And, there is no "Enabling compatibility mode for version 2" message
which is generated whenever I log in, so those clients seem to be trying
to login with protocol ver. 1.
There is one more strange thing, that i started seeng roughly when
the sshd fuss came out:
sshd[25774]: Received disconnect: 11: All open channels closed
Would someone explain what exactly this message means?

Oh, and BTW. those IP's are outside my country and no trusted
user has ever connected from them.

Thants about all I have to say :)
Any thoughts/flames/suggestions/ideas ?

P.S. Please don't go into "Reinstalling everything is your only way out"
It may be so, but please back your self up

Thanks in advance
Emo

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Glenn Forbes Fleming Larratt: "Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?"
Next in thread: Markus Friedl: "Re: sshd brake-in attempts"
Reply: Markus Friedl: "Re: sshd brake-in attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: sshd does not die when client issues control-C or closes
... I have been tesing OpenSSH sshd running under uClinux using Putty, ... I set my Client Keep alive parameters to issue 4 requests every ... # Or after 1 connection deny subsequent connections up to 2 ...
(SSH)
RE: X11 Forwarding
... Upon receipt of a connection request, ... the daemon forks, creating a new process. ... I guess all those forums out there saying that sshd reads the config ... First do a "ps -f" to get the PPID ...
(SSH)
Re: C/R without "leaks"
... sshd: to give up the connection when something goes wrong. ... server consolidation with a virtual machine, your do with containers. ...
(Linux-Kernel)
Re: New SSH Daemon refusing to log any user on
... new version of sshd it installed into /usr/sbin/. ... > TS> Well, I believe OpenSSH can be linked with libwrap, so it uses ... > TS> post shows that you did make some kind of connection. ... > client-side symptom is a complaint that the initial SSH protocol version ...
(comp.security.ssh)