lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040325093832.GC7287@oneeyedcrow.net>
From: raven at oneeyedcrow.net (Raven Alder)
Subject: Re: OpenSSH attack attempt?

Heya --

Quoth Honza Vlach (Mon, Mar 22, 2004 at 10:40:12AM +0100):
> 2004-03-22 09:01:37.781326500 Failed keyboard-interactive for illegal
> user xjunr01 from ::ffff:212.65.252.97 port 61991 ssh2
> 2004-03-22 09:01:37.781379500 Disconnecting: Too many authentication
> failures for xjunr01
> 2004-03-22 09:02:05.879614500 Bad protocol version identification
> '\377\373\037\ 377\373
> \377\373\030\377\373'\377\375\001\377\373\003\377\375\003sdf' from
> ::fff f:212.65.252.97
> 2004-03-22 09:02:36.287775500 Bad protocol version identification
> '\377\373\037\ 377\373
> \377\373\030\377\373'\377\375\001\377\373\003\377\375\003' from
> ::ffff:2 12.65.252.97
> 
> Is it some attack attempt? I've checked both full-disclosure archive and
> google, unfortunately haven't found anything usable.
 
	My guess is that it is either a program gone horribly wrong or
an attack attempt.  Maybe an attack attempt gone horribly wrong.  [grin]
Check out this link, which is vaguely similar:

http://seclists.org/lists/incidents/2002/Dec/0001.html

Instead of "id", though, you have the above strings after the failed login.
That seems somewhat related to dicom's vterm link.cpp.  Original URL is
down, here's the Google-cached version:

http://216.239.51.104/search?q=cache:Lh1EMLqmcPIJ:imrad.ucdmc.ucdavis.edu/DevelopersCut/dicom/vterm/link.cpp+%5C377%5C375%5C001&hl=en&ie=UTF-8

Your odd sequence is labeled as the "magic init string" for telnet.

BOOL	TelnetLink	::	Open( char	*ip )
	{
	if ( !SocketTermIO :: Open (ip, "23"))
		return ( FALSE );
	
	// send the magic init string for telnet sessions.. note.. some
	// garbage will come back
	//SocketTermIO :: SendBinary (
	//"\377\375\001\377\375\003\377\374\030", 9 );
	//SocketTermIO :: SendBinary (
	//"\377\375\003\377\373\030\377\366", 8);
	SocketTermIO :: SendBinary ((unsigned char *)
"\377\375\001\377\375\003\377\366", 8);
//	SocketTermIO :: SendBinary (
//	"\377\373\030\377\372\030\000vt100\377\360", 9 + 5);
	//SocketTermIO :: SendBinary ( "\377\375\001", 3);
		return ( TRUE );
	}

	So perhaps their program is just screwing up and trying to
prepend a variant of this magic init string, but to 22 rather than 23.

	You'd probably have better luck posting things like this to
incidents@...idents.org than to Full Disclosure, though.

Cheers,
Raven


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ