Re: Bad protocol version identification '^V^C^A'

From: jm (security@wirerats.org)
Date: 11/30/02

  • Next message: Bojan Zdrnja: "RE: Bad protocol version identification '^V^C^A'" 
    Date: 30 Nov 2002 00:24:51 -0000
From: jm <security@wirerats.org>
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <1395.136.159.104.19.1038501745.squirrel@webmail.enel.ucalgary.ca>

    I wouldn't worry too much about this. These type of log events are
    usually symbolic of some type of network scanner or brute force scanner.
    You can duplicate a similar log event by using nc or telnet and connecting
    to a 'ssh' server ( nc -vv hostAddress 22 ). However, I would be
    concerned with whatever service you have listening that are identified in
    you logs before the ip address of the remote connection ( ie /bin/id
    and /usr/bin/id ...). I would check to see what these services are and if
    you don't need them I would disable them as it may be possible that
    someone is trying to exploit that service.

    jm

    >Received: (qmail 1361 invoked from network); 29 Nov 2002 23:47:17 -0000
    >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 29 Nov 2002 23:47:17 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com
    [205.206.231.19])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id 6F4ECA30F8; Fri, 29 Nov 2002 16:38:26 -0700 (MST)
    >Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <incidents.list-id.securityfocus.com>
    >List-Post: <mailto:incidents@securityfocus.com>
    >List-Help: <mailto:incidents-help@securityfocus.com>
    >List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
    >Delivered-To: mailing list incidents@securityfocus.com
    >Delivered-To: moderator for incidents@securityfocus.com
    >Received: (qmail 9369 invoked from network); 28 Nov 2002 16:22:05 -0000
    >From: Randy Millis <rmillisl@enel.ucalgary.ca>
    >Message-ID:
    <1395.136.159.104.19.1038501745.squirrel@webmail.enel.ucalgary.ca>
    >Date: Thu, 28 Nov 2002 09:42:25 -0700 (MST)
    >Subject: Bad protocol version identification '^V^C^A'
    >To: <incidents@securityfocus.com>
    >X-Priority: 3
    >Importance: Normal
    >X-Mailer: SquirrelMail (version 1.2.8)
    >MIME-Version: 1.0
    >Content-Type: text/plain; charset=iso-8859-1
    >Content-Transfer-Encoding: 8bit
    >
    >Had the following entries in brought to my attention by LogWatch this
    >morning.
    >
    >Can anyone guide me to what they might be and if I need to be concerned
    >about them?
    >
    >Thanks.
    >
    > --------------------- SSHD Begin ------------------------
    >
    >**Unmatched Entries**
    >Bad protocol version identification '^V^C^A' from xxx.xxx.xxx.xxx
    >Bad protocol version identification '^V^C' from xxx.xxx.xxx.xxx
    >Bad protocol version identification '`' from xxx.xxx.xxx.xxx
    >Bad protocol version identification '`/bin/id` #' from xxx.xxx.xxx.xxx
    >Bad protocol version identification '`/usr/bin/id` #' from
    >xxx.xxx.xxx.xxx
    >
    >
    > ---------------------- SSHD End -------------------------
    >
    >
    >
    >-------------------------------------------------------------------------- 

    --
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com