[geeks] SSH Scans Increasing
der Mouse
mouse at Rodents-Montreal.ORG
Thu Aug 21 10:06:11 CDT 2008
> Of course, I was really only trying to keep the logs clean. I think
> SSH is, or can be set up to be, quite secure. I wasn't worried about
> anyone getting past the SSH key stuff.
Same here, except that I also care slightly about not soaking up my CPU
cycles with kex for connections that will never go anywhere.
One interesting thing is that some substantial fraction of the malware
doing the scanning in recent months has been broken; it issues
disconnect packets that are missing the last field. Disconnect
messages are defined (RFC4253 '11.1) as
byte SSH_MSG_DISCONNECT
uint32 reason code
string description in ISO-10646 UTF-8 encoding [RFC3629]
string language tag [RFC3066]
but the packets are missing the language tag:
Aug 19 02:44:56 Truly-Delicious moussh[3504]: 91.117.124.27/35070: packet too short (0 left, need 4) 01 00 00 00 0b 00 00 00 07 42 79 65 20 42 79 65
(The reason code is SSH_DISCONNECT_BY_APPLICATION and the description
string is "Bye Bye".)
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the geeks
mailing list