On Thu, 24 Jan 2002 23:29:26 -0500, dman <[EMAIL PROTECTED]> wrote: > > I'm sitting at home on the console right now. I noticed this in > xconsole, copied from /var/log/auth.log : > > Jan 24 23:23:50 dman sshd[3760]: Did not receive identification string from > 216.153.138.132 > Jan 24 23:24:37 dman sshd[3776]: Disconnecting: Corrupted check bytes on > input. > > It appears that someone is trying to ssh to my machine, but didn't do > it right. Is this deduction correct? I looked up that machine and > found : > > $ host 216.153.138.12 > Name: host-216-153-138-12.choiceone.net > Address: 216.153.138.12 > > $ nmap 216.153.138.12 > > (The 1545 ports scanned but not shown below are in state: closed) > Port State Service > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 5631/tcp open pcanywheredata > > > Looks like a windows machine to me. Is this just a fluke, or is there > some new worm/exploit going around?
I dunno, but sounds like the crc32 exploit. It might be worth contacting choiceone.net with a log snippet. Do you know what's on port 5631? -- Eric G. Miller <[email protected]>
