[CLUE-Tech] SSH probes
Sean LeBlanc
seanleblanc at attbi.com
Tue Apr 16 17:06:55 MDT 2002
On 04-16 09:48, George Finney wrote:
>
> I've been noticing lots of attempted connections to my ssh enabled boxes. I was wondering if anyone else has been seeing the same kind of trend. Typically the messages say "Illegal Protocol version" or just "Disconnected", with the connections lasting for only a second or two. I've never gotten an attempt from the same address more than once. I've been running version 3.1 of the ssh.org implementation.
>
> I'm assuming that the illegal protocol version either indicates someone looking for a server running version 1 of ssh, or someone running another implementation of ssh.
>
> The ones that just disconnect are the ones that I'm more concerned with. Whether they are looking for a windows ssh signature, or a config that allows root login or is looking for a specific vulnerability in ssh...
>
> I suppose with the SSH kiss session last week, I thought it would be good to start a discussion on SSH security.
I'm seeing a few of these too, now that you mention it. In
/var/log/messages, I have some entries from as far back as March 18 (haven't
looked in older logs yets) that look something like this:
Apr 16 13:00:11 192 sshd[1777]: Protocol major versions differ for
195.166.232.1: <myversion> vs. SSH-1.0-SSH_Version_Mapper
Is this Version Mapper something used to look for exploitable ssh daemons?
--
Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome
ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome
More information about the clue-tech
mailing list