[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: OpenSSH attack attempt?



Heya --

Quoth Honza Vlach (Mon, Mar 22, 2004 at 10:40:12AM +0100):
> 2004-03-22 09:01:37.781326500 Failed keyboard-interactive for illegal
> user xjunr01 from ::ffff:212.65.252.97 port 61991 ssh2
> 2004-03-22 09:01:37.781379500 Disconnecting: Too many authentication
> failures for xjunr01
> 2004-03-22 09:02:05.879614500 Bad protocol version identification
> '\377\373\037\ 377\373
> \377\373\030\377\373'\377\375\001\377\373\003\377\375\003sdf' from
> ::fff f:212.65.252.97
> 2004-03-22 09:02:36.287775500 Bad protocol version identification
> '\377\373\037\ 377\373
> \377\373\030\377\373'\377\375\001\377\373\003\377\375\003' from
> ::ffff:2 12.65.252.97
> 
> Is it some attack attempt? I've checked both full-disclosure archive and
> google, unfortunately haven't found anything usable.
 
        My guess is that it is either a program gone horribly wrong or
an attack attempt.  Maybe an attack attempt gone horribly wrong.  [grin]
Check out this link, which is vaguely similar:

http://seclists.org/lists/incidents/2002/Dec/0001.html

Instead of "id", though, you have the above strings after the failed login.
That seems somewhat related to dicom's vterm link.cpp.  Original URL is
down, here's the Google-cached version:

http://216.239.51.104/search?q=cache:Lh1EMLqmcPIJ:imrad.ucdmc.ucdavis.edu/DevelopersCut/dicom/vterm/link.cpp+%5C377%5C375%5C001&hl=en&ie=UTF-8

Your odd sequence is labeled as the "magic init string" for telnet.

BOOL    TelnetLink      ::      Open( char      *ip )
        {
        if ( !SocketTermIO :: Open (ip, "23"))
                return ( FALSE );
        
        // send the magic init string for telnet sessions.. note.. some
        // garbage will come back
        //SocketTermIO :: SendBinary (
        //"\377\375\001\377\375\003\377\374\030", 9 );
        //SocketTermIO :: SendBinary (
        //"\377\375\003\377\373\030\377\366", 8);
        SocketTermIO :: SendBinary ((unsigned char *)
"\377\375\001\377\375\003\377\366", 8);
//      SocketTermIO :: SendBinary (
//      "\377\373\030\377\372\030\000vt100\377\360", 9 + 5);
        //SocketTermIO :: SendBinary ( "\377\375\001", 3);
                return ( TRUE );
        }

        So perhaps their program is just screwing up and trying to
prepend a variant of this magic init string, but to 22 rather than 23.

        You'd probably have better luck posting things like this to
incidents@xxxxxxxxxxxxx than to Full Disclosure, though.

Cheers,
Raven

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html