Security Incidents mailing list archives

Re: SSH CRC32? What am I seeing?

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 21 Nov 2001 16:03:52 -0500

There are Snort signatures to pick up this attack if you're so inclined,
check out http://www.snort.org

     -Marty

Jose Nazario wrote:


On Wed, 21 Nov 2001, Shaun Dewberry wrote:

Received these strange probes this afternoon, can anyone tell me what
they are?


how many?

(I suspect it is SSH CRC32 exploit, but need confirmation).


as discussed by dittrich you'd see a string of ssh connections as the
known exploits attempt to work the addressing on your box via the crc32
ssh exploit:

http://archives.neohapsis.com/archives/incidents/2001-11/0040.html

I found this in my logs right before a couple of cgi-bin exploit
attempts. (my host is caffeine.co.za)


that suggests an automated scanner like nessus or something along those
lines.

Nov 21 16:11:21 fw sshd[30930]: Bad protocol version identification
'^Ccaffeine.co.za^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^V^Cexit  ' from
196.11.239.43
Nov 21 16:11:45 fw sshd[30937]: fatal: Read from socket failed: Connection
reset by peer


control C (^C) makes me think its a manual probe on sshd to get the
version number (and look for a target maybe for the crc32 exploit).

doesn't look like the ssh crc32 attack on this data, to me at least.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SSH CRC32? What am I seeing? Shaun Dewberry (Nov 21)
- Re: SSH CRC32? What am I seeing? SecLists (Nov 21)
- Re: SSH CRC32? What am I seeing? Jose Nazario (Nov 21)
  - Re: SSH CRC32? What am I seeing? Martin Roesch (Nov 21)