[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040325093832.GC7287@oneeyedcrow.net>
From: raven at oneeyedcrow.net (Raven Alder)
Subject: Re: OpenSSH attack attempt?
Heya --
Quoth Honza Vlach (Mon, Mar 22, 2004 at 10:40:12AM +0100):
> 2004-03-22 09:01:37.781326500 Failed keyboard-interactive for illegal
> user xjunr01 from ::ffff:212.65.252.97 port 61991 ssh2
> 2004-03-22 09:01:37.781379500 Disconnecting: Too many authentication
> failures for xjunr01
> 2004-03-22 09:02:05.879614500 Bad protocol version identification
> '\377\373\037\ 377\373
> \377\373\030\377\373'\377\375\001\377\373\003\377\375\003sdf' from
> ::fff f:212.65.252.97
> 2004-03-22 09:02:36.287775500 Bad protocol version identification
> '\377\373\037\ 377\373
> \377\373\030\377\373'\377\375\001\377\373\003\377\375\003' from
> ::ffff:2 12.65.252.97
>
> Is it some attack attempt? I've checked both full-disclosure archive and
> google, unfortunately haven't found anything usable.
My guess is that it is either a program gone horribly wrong or
an attack attempt. Maybe an attack attempt gone horribly wrong. [grin]
Check out this link, which is vaguely similar:
http://seclists.org/lists/incidents/2002/Dec/0001.html
Instead of "id", though, you have the above strings after the failed login.
That seems somewhat related to dicom's vterm link.cpp. Original URL is
down, here's the Google-cached version:
http://216.239.51.104/search?q=cache:Lh1EMLqmcPIJ:imrad.ucdmc.ucdavis.edu/DevelopersCut/dicom/vterm/link.cpp+%5C377%5C375%5C001&hl=en&ie=UTF-8
Your odd sequence is labeled as the "magic init string" for telnet.
BOOL TelnetLink :: Open( char *ip )
{
if ( !SocketTermIO :: Open (ip, "23"))
return ( FALSE );
// send the magic init string for telnet sessions.. note.. some
// garbage will come back
//SocketTermIO :: SendBinary (
//"\377\375\001\377\375\003\377\374\030", 9 );
//SocketTermIO :: SendBinary (
//"\377\375\003\377\373\030\377\366", 8);
SocketTermIO :: SendBinary ((unsigned char *)
"\377\375\001\377\375\003\377\366", 8);
// SocketTermIO :: SendBinary (
// "\377\373\030\377\372\030\000vt100\377\360", 9 + 5);
//SocketTermIO :: SendBinary ( "\377\375\001", 3);
return ( TRUE );
}
So perhaps their program is just screwing up and trying to
prepend a variant of this magic init string, but to 22 rather than 23.
You'd probably have better luck posting things like this to
incidents@...idents.org than to Full Disclosure, though.
Cheers,
Raven
Powered by blists - more mailing lists