Re: [gnubies-il] Ahhmm... help ?
- On Mon, 14 Jan 2002, san_tsu2000 wrote:
> Please ignore my last message.$ whois 220.127.116.11
> Going over the logs brought up MULTIPLE lines in the form of:
> Jan 13 11:24:09 source sshd: Did not receive ident string from
inetnum: 18.104.22.168 - 22.214.171.124
descr: Christian Stiller, Koeln
status: ASSIGNED PA
changed: tn@... 20001130
Looks like an address that is assigned to some german company.
>What version of sshd do you use?
> Jan 13 11:30:05 source sshd: Disconnecting: crc32 compensation
> attack: network attack detected
> Jan 13 11:31:14 source sshd: Disconnecting: Corrupted check
> bytes on input.
> Jan 13 11:42:47 source sshd: Accepted password for amir from
> 126.96.36.199 port 1433
(This is not a secret to anybody who knows the IP of your computer. Simply
telnet to port 22 of your computer to get this version number).
I'm not sure that this is it, but there is a root exploit for a relatively
old sshd hole (was fixed almost a year ago) that is now floating around
There were some more recent updates to sshd. See your distro's ssh
Tzafrir Cohen /"\
mailto:tzafrir@... \ / ASCII Ribbon Campaign
Taub 229, 972-4-829-3942, X Against HTML Mail
http://www.technion.ac.il/~tzafrir / \