Hosting Provided By

RE: Bad protocol version identification '^V^C^A'

From: Bojan Zdrnja <Bojan.Zdrnja(at)FER.hr>
Date: Sun Dec 01 2002 - 04:15:49 EST

Hi.

I suppose this is plain SSHD buffer overflow attack, followed by 'id' commands. Attacker tryed buffer overflow (which didn't succeed, according to logs) and after that he tried to execute 'id' commands to see if his attack worked (ie. If he managed to elevate his privileges). IIRC, SSH expects protocol identification as first data on the channel - attacker tried overflow and then 2 commands which SSHD interpreted as bad protocol identification.

I'd check sshd versions for sure, but I think this was just an attack atempt on your server.

Best regards,

Bojan Zdrnja

> -----Original Message-----
> From: jm [mailto:security@wirerats.org]
> Sent: 30. studeni 2002 1:25
> To: incidents@securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Dec 1 23:07:31 2002

This message: [ Message body ]
Next message: D.C. van Moolenbroek: "Re: Bad protocol version identification '^V^C^A'"
Previous message: jm: "Re: Bad protocol version identification '^V^C^A'"
In reply to: jm: "Re: Bad protocol version identification '^V^C^A'"
In reply to jm: "Re: Bad protocol version identification '^V^C^A'"
Next in thread: Matt Harris: "Re: Bad protocol version identification '^V^C^A'"
Reply: Matt Harris: "Re: Bad protocol version identification '^V^C^A'"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT