Re: Bad protocol version identification '^V^C^A'

["D.C. van Moolenbroek" <dc.van.moolenbroek () chello nl>]

"jm" wrote:
(...)
> to a 'ssh' server ( nc -vv hostAddress 22 ).  However, I would be
> concerned with whatever service you have listening that are identified in
> you logs before the ip address of the remote connection ( ie /bin/id
> and /usr/bin/id ...).  I would check to see what these services are and if
> you don't need them I would disable them as it may be possible that
> someone is trying to exploit that service.

You probably mean something different... 'id' is a simple program that is
capable of displaying the current user ID, and is commonly used by crackers
as default command to see whether an attack succeeded, because it's short
and gives useful output. It is, however, not a "service" that could be
"exploited", it's not a daemon and it's not setuid or whatever, and any
other standard command (uname, uptime, w etc) could be used instead. In
other words, disabling it would not make any sense.

In this case, the cracker was apparently hoping that the SSH daemon he
telnetted to, would respond to input the way shells or bogus CGI scripts do
(look at the ` shell expansion character around the commands). Too bad for
him, but nothing to worry about really - SSH daemons will never accept input
like that.

Anyway, one should always disable unneeded services, whether they appear in
logs or not.

Regards,

David

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com