Re: what is this? (sshd messages in log)

[Acheron <acheron@sympatico.ca>]

PCAnywhere can also be configured to listen on port 22.  It has the 
capability to scan a range of hosts for other listening pcanywhere 
servers.  This is likely just somebody running a pcAnywhere scan.  They 
might not even be aware they are doing it - some versions (as I recall) 
perform the scan automatically on startup.

Hmm... though as I recall I believe it is UDP 22 that pcAnywhere binds 
to...  anyway, that is an alternate explanation.



dman wrote:

> I'm sitting at home on the console right now.  I noticed this in
> xconsole, copied from /var/log/auth.log :
>
> Jan 24 23:23:50 dman sshd[3760]: Did not receive identification string from 216.153.138.132
> Jan 24 23:24:37 dman sshd[3776]: Disconnecting: Corrupted check bytes on input.
>
> It appears that someone is trying to ssh to my machine, but didn't do
> it right.  Is this deduction correct?  I looked up that machine and
> found :
>
> $ host 216.153.138.12
> Name: host-216-153-138-12.choiceone.net
> Address: 216.153.138.12
>
> $ nmap 216.153.138.12
>
> (The 1545 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 137/tcp    filtered    netbios-ns              
> 138/tcp    filtered    netbios-dgm             
> 139/tcp    filtered    netbios-ssn             
> 5631/tcp   open        pcanywheredata          
>
>
> Looks like a windows machine to me.  Is this just a fluke, or is there
> some new worm/exploit going around?
>
> Any thoughts, comments?
>
> -D

--
ACHERON
acheron@sympatico.ca