Re: Bad protocol version identification '^V^C^A'

I believe a known issue regarding the ssh.com SSH server was released within the past two or three weeks - it's probably being scanned for pretty heavily. Details were on bugtraq. This is probably what this is, if you're running OpenSSH you should be fine. There's also that pesky problem with OpenSSL which affected OpenSSH on a number of platforms compiled using the vulnerable OpenSSL, it could be a scan looking for that as well. I get scanned a good 10 unique times a day, I would assume most people get scanned quite frequently as well, so as long as there're no signs of a system compromise, you shouldn't lose too much hair over it. Go through the motions, check the box for SSHD core files, etc etc, and make sure the box is safe just to be sure. Never does hurt. :-)
Also check to be sure that you're using the latest stable versions of everything, especially your SSH servers and anything else [web servers, etc] that may use OpenSSL and make sure that OpenSSL itself is updated, and any binaries linked with it are suitably recompiled to use the correct and safe version and all that good stuff.

Bojan Zdrnja wrote:
> I suppose this is plain SSHD buffer overflow attack, followed by 'id'

> > >
> > >Had the following entries in brought to my attention by
> > LogWatch this
> > >morning.
> > >
> > >Can anyone guide me to what they might be and if I need to
> > be concerned
> > >about them?

-- 
/*
 *
 * Matt Harris - Senior UNIX Systems Engineer
 * Smithsonian Institution, OCIO
 *
 */

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com