Re: what is this? (sshd messages in log)
On Thu, 24 Jan 2002 23:29:26 -0500, dman <dsh8290@rit.edu> wrote:
>
> I'm sitting at home on the console right now. I noticed this in
> xconsole, copied from /var/log/auth.log :
>
> Jan 24 23:23:50 dman sshd[3760]: Did not receive identification string from 216.153.138.132
> Jan 24 23:24:37 dman sshd[3776]: Disconnecting: Corrupted check bytes on input.
>
> It appears that someone is trying to ssh to my machine, but didn't do
> it right. Is this deduction correct? I looked up that machine and
> found :
>
> $ host 216.153.138.12
> Name: host-216-153-138-12.choiceone.net
> Address: 216.153.138.12
>
> $ nmap 216.153.138.12
>
> (The 1545 ports scanned but not shown below are in state: closed)
> Port State Service
> 137/tcp filtered netbios-ns
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn
> 5631/tcp open pcanywheredata
>
>
> Looks like a windows machine to me. Is this just a fluke, or is there
> some new worm/exploit going around?
I dunno, but sounds like the crc32 exploit. It might be worth contacting
choiceone.net with a log snippet. Do you know what's on port 5631?
--
Eric G. Miller <egm2@jps.net>
Reply to: