[lug] Mystery SSH diagnostic lines
Bear Giles
bgiles at coyotesong.com
Tue Aug 3 14:32:08 MDT 2021
I'm pretty sure those are the ports on the sending PC. Depending upon your
logs and whether you have access to the system while the session is running
you could use it to identify the process and owner of the process. (E.g.,
'lsof -i tcp:xxxx'.)
IIRC 'preauth' is the first part of the handshake - it tells the client
what forms of authentication are allowed. E.g., password, ssh key, etc. The
client can then respond with the requested type(s) of information in
'auth'. This allows the client to avoid blindly providing credentials that
aren't required - or to immediately tell the user that it doesn't have the
required information. E.g., maybe the server only accepts ssh keys but the
client doesn't have any private keys.
Bear
On Sun, Aug 1, 2021 at 1:19 PM Mike Witt <msg2mw at gmail.com> wrote:
> On 08/01/2021 01:03:11 PM, Simos wrote:
> > On Sun, 01 Aug 2021 12:27:02 -0600 Mike Witt <msg2mw at gmail.com> wrote:
> > >
> > > On 08/01/2021 11:42:20 AM, Simos wrote:
> > > > Hi,
> > > >
> > > > Looks like a port scan to me.
> > >
> > > Wouldn't that have tried more than just those two ports?
> >
> > Maybe for now it's just probing open SSH ports? Also, how do you know
> > that
> > nothing else is being port scanned? The log lines you forwarded seem
> > to be
> > from standard syslog/auth logs which would not necessarily log port
> > scan
> > attempts unless the individual services themselves (like sshd) did so.
>
> sshd is only configured to listen on port 22 (I'm using the standard
> port and it's NOT accessible to the outside work through my comcast
> modem/router).
>
> If I do ssh -p to one of those ports, I DON'T get those log lines and
> the connection is simply refused.
>
> I have no idea what the [preauth] thing is and I don't see that when I
> make or break regular ssh connections to either of these machines.
>
> I obviously don't know what's going on, but when I look at those lines
> it seems almost like 10.0.0.8 is sending an (unsolicited) disconnect to
> the other machines(???)
>
> Good tip about MalwareBytes, I'll look into that.
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20210803/d8c725fb/attachment.html>
More information about the LUG
mailing list