tech-security: ssh scans, old version exploits

Subject: ssh scans, old version exploits
To: None <tech-security@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 11/21/2001 13:20:32

On a 1.4.2/i386 system, I was running openssh-1.2.2 package (which used
openssl-0.9.4). (It was installed around February 29, 2000.)

My daily report indicated a /sshd.core file.
-rw-------  1 root  wheel  762216 Nov 20 14:23 /sshd.core

A strings on the file showed:
 140.254.9.26
 SSH-1.5-1.2.27

gdb said:
 Program terminated with signal 11, Segmentation fault.
 #0  0x15dbc in ?? ()

I already replaced the old binary; I forgot to save it for debugging. If
anyone is interested I can send the sshd.core dump.

My logs showed:

Nov 20 14:20:41 bsd sshd[8662]: Did not receive ident string from
195.5.22.228.
Nov 20 14:20:45 bsd sshd[8667]: Disconnecting: Corrupted check bytes
on input.
Nov 20 14:20:48 bsd sshd[8671]: Disconnecting: Corrupted check bytes
on input.
Nov 20 14:20:49 bsd sshd[8672]: Disconnecting: Corrupted check bytes
on input.
Nov 20 14:20:55 bsd sshd[8680]: Disconnecting: Corrupted check bytes
on input.
Nov 20 14:20:56 bsd sshd[8681]: Disconnecting: Corrupted check bytes
on input.
Nov 20 14:23:44 bsd sshd[8936]: Connection closed by 140.254.9.26

I didn't notice any changes to my system though.

Plus, in the months of September, October and November, I received may
logs saying "Did not receive ident string" such as:

Nov  6 21:36:25 bsd sshd[15274]: Did not receive ident string from
200.21.83.157.
Nov 20 15:11:47 bsd sshd[9022]: Did not receive ident string from
195.5.22.228.

Is the above "ident string" log an indication of ssh scans?

By the way, changing to new pkgsrc for new openssh was easy.

   Jeremy C. Reed
   http://www.reedmedia.net/