Re: remote openssh probe or crack?.

From: Josha Bronson (dmuz@slartibartfast.angrypacket.com)
Date: 06/13/02


Date: Wed, 12 Jun 2002 19:34:26 -0700
From: Josha Bronson <dmuz@slartibartfast.angrypacket.com>
To: "Lic. Rodolfo Gonzalez Gonzalez" <rgg@cs.buap.mx>

On Wed, Jun 12, 2002 at 06:13:08PM -0500, Lic. Rodolfo Gonzalez Gonzalez said:
> I got these lines in "messages" in a RedHat 6.2 box:

Ooh, make sure you got all the pathces. ;)

> Jun 10 09:51:57 server sshd[9100]: Did not receive identification string
> from 64.90.65.19
> Jun 10 09:52:06 server sshd[9117]: Did not receive identification string
[snip...]
>
> I guess they're related to the latest openssh vulnerability, but I don't
> know if this could be caused by a succesful remote exploitation or if this
> is just a probe/scan. Any comments on this are appreciated.

These can, I am pretty sure, be caused by just a connection to your
sshd. Usualy this is with somethng that is not really interested in
talking ssh (like a banner grabber or netcat).

-- 
Josha Bronson
dmuz@angrypacket.com
AngryPacket Security

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com