The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSHD vulnerability?

Discussion in 'General Discussion' started by apodigm, Jun 28, 2004.

  1. apodigm

    apodigm Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    here are some strange entries in my logwatch...

    --------------------- pam_unix Begin ------------------------
    sshd:
    Authentication Failures:
    unknown (d14-69-195-7.try.wideopenwest.com ): 2 Time(s)
    Unknown Entries:
    1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=d14-69-195-7.try.wideopenwest.com : 1 Time(s)
    Invalid Users:
    Unknown Account: 3 Time(s)
    ---------------------- pam_unix End -------------------------

    --------------------- Connections (secure-log) Begin -----------
    Connections:
    Service imap:
    69.14.7.195: 11 Time(s)
    127.0.0.1: 183 Time(s)
    ---------------------- Connections (secure-log) End -----------

    --------------------- SSHD Begin ------------------------

    Failed logins from these:
    esx/password from 69.14.7.195: 2 Time(s)
    evilst/password from 69.14.7.195: 1 Time(s)

    **Unmatched Entries**
    Protocol major versions differ for 69.14.7.195: SSH-1.99-OpenSSH_3.6.1p2 vs. SSH-9.9-NessusSSH_1.0 Protocol major versions differ for 69.14.7.195: SSH-1.99-OpenSSH_3.6.1p2 vs. SSH-9.9-NessusSSH_1.0 Illegal user esx from 69.14.7.195 Illegal user esx from 69.14.7.195 Illegal user evilst from 69.14.7.195

    ---------------------- SSHD End -------------------------



    Based on this it looks like he was blocked. But I still think it is strange that there was protocol mismatch for the SSH software.

    Anyone dealt with this before?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The protocol mis-match is nothing unusual. The client may have been trying to use SSHv1 and your server may be configured to only accept SSHv2. Certainly not a vulnerability, just someone trying to gain SSH access to the server.
     
Loading...

Share This Page