[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why do SSH cracking attempts start with "Did not receive identification string"?

On Friday, 02.09.2005 at 12:24 +0100, Adam Funk wrote:

> My logs from SSH cracking attempts often start like this.
> Sep  2 00:01:09 foo sshd[6988]: Did not receive identification string from
> Sep  2 00:05:30 foo sshd[7832]: Failed password for illegal user root from port 45069 ssh2
> Sep  2 00:05:31 foo sshd[7834]: Failed password for illegal user fluffy from port 45552 ssh2
> Sep  2 00:05:32 foo sshd[7836]: Failed password for illegal user admin from port 45614 ssh2
> Sep  2 00:05:34 foo sshd[7838]: Failed password for illegal user test from port 45631 ssh2
> Sep  2 00:05:35 foo sshd[7840]: Failed password for illegal user guest from port 46340 ssh2
> Sep  2 00:05:36 foo sshd[7842]: Failed password for illegal user webmaster from port 46779 ssh2
> Sep  2 00:05:41 foo sshd[7844]: Failed password for illegal user mysql from port 46834 ssh2
> Sep  2 00:05:42 foo sshd[7846]: Failed password for illegal user oracle from port 48103 ssh2
> ...
> Sometimes the interval between "Did not receive" and the first "Failed
> password" is as long as 20 minutes.  Why do the SSH cracking programs
> omit the string the first time, and why do they wait a while after
> that to start trying userids and passwords?

If it's a manual attempt at cracking passwords, the first "did not
receive" will correspond to someone doing a "telnet 22" to get
the SSH banner to appear.  Perhaps they are trying to see whether any
particular vulnerabilities apply to your SSH version.

Of course, if it's an automated scan, that's a less likely explanation.

Please don't CC me on list messages!
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to: