Security Incidents mailing list archives
Re: Bad protocol version identification '^V^C^A'
From: "D.C. van Moolenbroek" <dc.van.moolenbroek () chello nl>
Date: Sun, 1 Dec 2002 21:03:25 +0100
"jm" wrote: (...)
to a 'ssh' server ( nc -vv hostAddress 22 ). However, I would be concerned with whatever service you have listening that are identified in you logs before the ip address of the remote connection ( ie /bin/id and /usr/bin/id ...). I would check to see what these services are and if you don't need them I would disable them as it may be possible that someone is trying to exploit that service.
You probably mean something different... 'id' is a simple program that is capable of displaying the current user ID, and is commonly used by crackers as default command to see whether an attack succeeded, because it's short and gives useful output. It is, however, not a "service" that could be "exploited", it's not a daemon and it's not setuid or whatever, and any other standard command (uname, uptime, w etc) could be used instead. In other words, disabling it would not make any sense. In this case, the cracker was apparently hoping that the SSH daemon he telnetted to, would respond to input the way shells or bogus CGI scripts do (look at the ` shell expansion character around the commands). Too bad for him, but nothing to worry about really - SSH daemons will never accept input like that. Anyway, one should always disable unneeded services, whether they appear in logs or not. Regards, David -- class sig{static void main(String[]s){for// D.C. van Moolenbroek (int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL) "Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Bad protocol version identification '^V^C^A' jm (Nov 30)
- RE: Bad protocol version identification '^V^C^A' Bojan Zdrnja (Dec 01)
- Re: Bad protocol version identification '^V^C^A' Matt Harris (Dec 02)
- Re: Bad protocol version identification '^V^C^A' D.C. van Moolenbroek (Dec 01)
- RE: Bad protocol version identification '^V^C^A' Bojan Zdrnja (Dec 01)