From owner-freebsd-security@FreeBSD.ORG Sun Oct 15 18:42:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 198E916A415 for ; Sun, 15 Oct 2006 18:42:47 +0000 (UTC) (envelope-from freebsd@bitfreak.org) Received: from mail.twinthornes.com (mail.twinthornes.com [65.75.198.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1CB343D49 for ; Sun, 15 Oct 2006 18:42:46 +0000 (GMT) (envelope-from freebsd@bitfreak.org) Received: from [10.242.169.23] (c-67-171-135-169.hsd1.or.comcast.net [67.171.135.169]) by mail.twinthornes.com (Postfix) with ESMTP id 644815C4 for ; Sun, 15 Oct 2006 11:42:46 -0700 (PDT) Message-ID: <45328127.7020702@bitfreak.org> Date: Sun, 15 Oct 2006 11:42:47 -0700 From: freebsd@bitfreak.org User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: sshd "bad protocol version identification" messages X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 18:42:47 -0000 I'm seeing lines like the following in my security logs: Oct 14 06:56:32 srv sshd[41370]: Bad protocol version identification '\200b\001\003\001' from 24.203.221.239 From what I've read, this is a buffer overflow attack on the sshd whereby the attacker triggers the overflow before the identification string is sent then attempts commands to see if elevated priveleges were obtained. The log message is produced by sshd trying to interpret the commands as the identification string. Is this related to SA-06:22 or SA-06:23, or is this another bug?