[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

SSH crc32 compensation attack?



Hi all,

One of my systems just emailed me with this:

Mar  5 13:35:03 firewall sshd[3497]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:11 firewall sshd[3499]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:15 firewall sshd[3500]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:19 firewall sshd[3501]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:27 firewall sshd[3503]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:39 firewall sshd[3506]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:43 firewall sshd[3507]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:51 firewall sshd[3509]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:35:59 firewall sshd[3511]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:36:52 firewall sshd[3524]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:38:47 firewall sshd[3537]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:39:05 firewall sshd[3539]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:39:14 firewall sshd[3540]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:39:32 firewall sshd[3542]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:39:49 firewall sshd[3544]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:39:58 firewall sshd[3545]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:40:07 firewall sshd[3546]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:41:57 firewall sshd[3574]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:43:12 firewall sshd[3593]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:43:35 firewall sshd[3599]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:44:34 firewall sshd[3614]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:44:47 firewall sshd[3494]: fatal: Timeout before authentication for 
211.192.192.181.
Mar  5 13:44:58 firewall sshd[3620]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:45:06 firewall sshd[3622]: Disconnecting: crc32 compensation 
attack: network attack detected
Mar  5 13:45:23 firewall sshd[3626]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:45:47 firewall sshd[3632]: Disconnecting: Corrupted check bytes on 
input.
Mar  5 13:46:47 firewall sshd[416]: Generating new 768 bit RSA key.
Mar  5 13:46:48 firewall sshd[416]: RSA key generation complete.
Mar  5 14:46:49 firewall sshd[416]: Generating new 768 bit RSA key.
Mar  5 14:46:49 firewall sshd[416]: RSA key generation complete.


It looks to me like this is coming from 211.192.192.181 but no other IP 
addresses have been reported.

Is there anywhere that SSH would log these besides /var/log/messages ?

Anyone seen this sort of attack before?

-- 
Regards,
+-----------------------+---------------------------------+
| Peter Kiem            | E-Mail    : <zordah zordah net> |
| Zordah IT             | Mobile    : +61 0414 724 766    |
|   IT Consultancy &    | WWW       : www.zordah.net      |
|   Internet Hosting    | ICQ       : "Zordah" 866661     |
+-----------------------+---------------------------------+





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]