[lug] Mystery SSH diagnostic lines

Mike Witt msg2mw at gmail.com
Tue Aug 3 19:35:15 MDT 2021 

Interesting. Thanks for that info Bear.

We ran a few more tests and (it's a bit of a long and boring story) but  
Tina can make the "event" happen by putting MS "Edge" (a browser) "to  
sleep" (whatever that means) and then it eventually "wakes up" which  
bothers Avast (the security program) at which point either Edge or  
Avast appears to try to contact other machines on the network.

Why this would happen, or how she figured it out ... who knows.

But as near as we can determine it's some combination of Edge and  
Avast. And I suppose that this may have happened before and I just  
never noticed it. This machine used to be open to ssh from the world  
and I often got ssh attempts. Now that it's closed, this event really  
stood out in the logs.

I appreciate everyone's comments, but I'm afraid I wasted your time :-(

-Mike

On 08/03/2021 02:32:08 PM, Bear Giles wrote:
> I'm pretty sure those are the ports on the sending PC. Depending upon  
> your
> logs and whether you have access to the system while the session is  
> running
> you could use it to identify the process and owner of the process.  
> (E.g.,
> 'lsof -i tcp:xxxx'.)
> 
> IIRC 'preauth' is the first part of the handshake - it tells the  
> client
> what forms of authentication are allowed. E.g., password, ssh key,  
> etc. The
> client can then respond with the requested type(s) of information in
> 'auth'. This allows the client to avoid blindly providing credentials  
> that
> aren't required - or to immediately tell the user that it doesn't  
> have the
> required information. E.g., maybe the server only accepts ssh keys  
> but the
> client doesn't have any private keys.
> 
> Bear
> 
> On Sun, Aug 1, 2021 at 1:19 PM Mike Witt <msg2mw at gmail.com> wrote:
> 
> > On 08/01/2021 01:03:11 PM, Simos wrote:
> > > On Sun, 01 Aug 2021 12:27:02 -0600 Mike Witt <msg2mw at gmail.com>  
> wrote:
> > > >
> > > > On 08/01/2021 11:42:20 AM, Simos wrote:
> > > > > Hi,
> > > > >
> > > > > Looks like a port scan to me.
> > > >
> > > > Wouldn't that have tried more than just those two ports?
> > >
> > > Maybe for now it's just probing open SSH ports? Also, how do you  
> know
> > > that
> > > nothing else is being port scanned? The log lines you forwarded  
> seem
> > > to be
> > > from standard syslog/auth logs which would not necessarily log  
> port
> > > scan
> > > attempts unless the individual services themselves (like sshd)  
> did so.
> >
> > sshd is only configured to listen on port 22 (I'm using the standard
> > port and it's NOT accessible to the outside work through my comcast
> > modem/router).
> >
> > If I do ssh -p to one of those ports, I DON'T get those log lines  
> and
> > the connection is simply refused.
> >
> > I have no idea what the [preauth] thing is and I don't see that  
> when I
> > make or break regular ssh connections to either of these machines.
> >
> > I obviously don't know what's going on, but when I look at those  
> lines
> > it seems almost like 10.0.0.8 is sending an (unsolicited)  
> disconnect to
> > the other machines(???)
> >
> > Good tip about MalwareBytes, I'll look into that.
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667  
> channel=#hackingsociety
> 

------quoted attachment------
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667  
> channel=#hackingsociety

More information about the LUG mailing list