Date: Thu, 7 Mar 2002 23:46:55 -0500 From: "Richard Ward" <mh@homenetweb.com> To: "krzysztof Strzelczyk" <cs052279@yahoo.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: suspicious ssh logs Message-ID: <000b01c1c65c$4814d420$0101a8c0@noc2> References: <20020308040130.88177.qmail@web14803.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That message would most likely indicated a scan in progress. If you've already patched OpenSSH, you shouldn't have to worry. It might be worth looking through your traffic logs and finding out which IP address that came from. I've been receiving a lot of connections from machines scanning for the vulnerability. And Mr. Lai is correct. There are surprisingly quite a few exploited Windows machines whom are still scanning from the Nimda/Code Red worm. If you find yourself with nothing better to do, start up MRTG and make fun graphs of all the attempts the worms make to find Microsoft IIS. -- Richard Ward, GM Home Net Web, Inc. http://homenetweb.com ----- Original Message ----- From: krzysztof Strzelczyk <cs052279@yahoo.com> To: <freebsd-security@FreeBSD.ORG> Sent: Thursday, March 07, 2002 11:01 PM Subject: suspicious ssh logs > Hello, > > I am getting some suspicious logs in /var/log/messages > and also in my httpd logs. Since the ssh exploit went > public today this worries me. > > Here are the logs, can anyone clarify. > > messages: > > Mar 7 17:58:10 server sshd[8783]: fatal: Local: > Corrupted check bytes on input. > Mar 7 17:58:21 server sshd[8786]: fatal: Local: > Corrupted check bytes on input. > Mar 7 17:58:36 server sshd[8791]: fatal: Local: > Corrupted check bytes on input. > Mar 7 17:58:51 server sshd[8798]: fatal: Local: > Corrupted check bytes on input. > > httpd log: (It looks like maybe someone is trying to > run scripts that aren't really there?) > > [Thu Mar 7 22:04:02 2002] [error] [client > 195.252.149.234] File does not exist: > /usr/local/www/data/default.ida > [Thu Mar 7 22:18:41 2002] [error] [client > 144.134.227.126] File does not exist: > /usr/local/www/data/gall/kellyashton/gall1.shtml > [Thu Mar 7 22:23:05 2002] [error] [client > 67.201.235.198] File does not exist: > /usr/local/www/data/gall/nia/gall1.shtml > [Thu Mar 7 22:36:08 2002] [error] [client > 68.60.16.31] File does not exist: > /usr/local/www/data/default.ida > > > Thanks > -Chris > > __________________________________________________ > Do You Yahoo!? > Try FREE Yahoo! Mail - the world's greatest free email! > http://mail.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000b01c1c65c$4814d420$0101a8c0>