From owner-freebsd-security Thu Mar 7 20:49:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from imation.homenetweb.com (noc-p5-3-ky-4.homenetweb.com [216.7.67.90]) by hub.freebsd.org (Postfix) with ESMTP id D01A837B400 for ; Thu, 7 Mar 2002 20:49:13 -0800 (PST) Received: from noc2 (dial-18.kl.TerraNova.net [216.89.227.19]) by imation.homenetweb.com (8.12.2/8.12.2) with SMTP id g284mwhA000606; Thu, 7 Mar 2002 23:49:00 -0500 (EST) Message-ID: <000b01c1c65c$4814d420$0101a8c0@noc2> From: "Richard Ward" To: "krzysztof Strzelczyk" , References: <20020308040130.88177.qmail@web14803.mail.yahoo.com> Subject: Re: suspicious ssh logs Date: Thu, 7 Mar 2002 23:46:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That message would most likely indicated a scan in progress. If you've already patched OpenSSH, you shouldn't have to worry. It might be worth looking through your traffic logs and finding out which IP address that came from. I've been receiving a lot of connections from machines scanning for the vulnerability. And Mr. Lai is correct. There are surprisingly quite a few exploited Windows machines whom are still scanning from the Nimda/Code Red worm. If you find yourself with nothing better to do, start up MRTG and make fun graphs of all the attempts the worms make to find Microsoft IIS. -- Richard Ward, GM Home Net Web, Inc. http://homenetweb.com ----- Original Message ----- From: krzysztof Strzelczyk To: Sent: Thursday, March 07, 2002 11:01 PM Subject: suspicious ssh logs > Hello, > > I am getting some suspicious logs in /var/log/messages > and also in my httpd logs. Since the ssh exploit went > public today this worries me. > > Here are the logs, can anyone clarify. > > messages: > > Mar 7 17:58:10 server sshd[8783]: fatal: Local: > Corrupted check bytes on input. > Mar 7 17:58:21 server sshd[8786]: fatal: Local: > Corrupted check bytes on input. > Mar 7 17:58:36 server sshd[8791]: fatal: Local: > Corrupted check bytes on input. > Mar 7 17:58:51 server sshd[8798]: fatal: Local: > Corrupted check bytes on input. > > httpd log: (It looks like maybe someone is trying to > run scripts that aren't really there?) > > [Thu Mar 7 22:04:02 2002] [error] [client > 195.252.149.234] File does not exist: > /usr/local/www/data/default.ida > [Thu Mar 7 22:18:41 2002] [error] [client > 144.134.227.126] File does not exist: > /usr/local/www/data/gall/kellyashton/gall1.shtml > [Thu Mar 7 22:23:05 2002] [error] [client > 67.201.235.198] File does not exist: > /usr/local/www/data/gall/nia/gall1.shtml > [Thu Mar 7 22:36:08 2002] [error] [client > 68.60.16.31] File does not exist: > /usr/local/www/data/default.ida > > > Thanks > -Chris > > __________________________________________________ > Do You Yahoo!? > Try FREE Yahoo! Mail - the world's greatest free email! > http://mail.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message