Re: Bad protocol version identification '^V^C^A'

From: D.C. van Moolenbroek (dc.van.moolenbroek@chello.nl)
Date: 12/01/02

Next message: Rob Shein: "RE: New scanner?"

Previous message: Bojan Zdrnja: "RE: Bad protocol version identification '^V^C^A'"
In reply to: jm: "Re: Bad protocol version identification '^V^C^A'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "D.C. van Moolenbroek" <dc.van.moolenbroek@chello.nl>
To: <incidents@securityfocus.com>
Date: Sun, 1 Dec 2002 21:03:25 +0100

"jm" wrote:
(...)
> to a 'ssh' server ( nc -vv hostAddress 22 ). However, I would be
> concerned with whatever service you have listening that are identified in
> you logs before the ip address of the remote connection ( ie /bin/id
> and /usr/bin/id ...). I would check to see what these services are and if
> you don't need them I would disable them as it may be possible that
> someone is trying to exploit that service.

You probably mean something different... 'id' is a simple program that is
capable of displaying the current user ID, and is commonly used by crackers
as default command to see whether an attack succeeded, because it's short
and gives useful output. It is, however, not a "service" that could be
"exploited", it's not a daemon and it's not setuid or whatever, and any
other standard command (uname, uptime, w etc) could be used instead. In
other words, disabling it would not make any sense.

In this case, the cracker was apparently hoping that the SSH daemon he
telnetted to, would respond to input the way shells or bogus CGI scripts do
(look at the ` shell expansion character around the commands). Too bad for
him, but nothing to worry about really - SSH daemons will never accept input
like that.

Anyway, one should always disable unneeded services, whether they appear in
logs or not.

Regards,

David

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Shein: "RE: New scanner?"
Previous message: Bojan Zdrnja: "RE: Bad protocol version identification '^V^C^A'"
In reply to: jm: "Re: Bad protocol version identification '^V^C^A'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

trace ip
... >Ascend digital modem box, his last attack I logged he ... >authentication and is being logged into our RAD logs. ... It is all command ...
(microsoft.public.security)
Re: BulletProof software
... If anyone can offer some added input after reviewing the logs, ... BPS Spyware Remover: Program directory ... Initial Spybot Startup list (this and the initial scan was done from ...
(microsoft.public.windowsxp.security_admin)
Re: osx cron jobs
... to read the logs. ... you can just Go to Folder (in the Finder's Go ... or look up the command. ... Yes, I had to define the "croncheck" command for this to work, but I only ...
(comp.sys.mac.system)
Re: any way to track commands of a user logged in through ssh
... ssh service was shut down. ... lnxnubie - Always a Linux Newbie ... Even if I do as u implied above, the logs just give me the time stamp ... ssh...`top` command does give me the terminal on which the particular ...
(comp.os.linux.misc)
Re: Auth.log
... Andrea Vettorello wrote: ... > than one noticed password guessing attempt at the ssh daemon, ... are there any packages which will analyse these logs ... You could run the results of this command through a script to count ...
(Debian-User)