These messages only started appearing in the latest botnet ssh weak user/password fishing expedition. I don't think the messages are from a legitimate client.
Yes, they could be due to corrupted packets from one of the bots on a weak connection, but I would like to hear if anybody can think of other possibilities. On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy <[email protected]> wrote: > Perhaps Diffie-Hellman key exchange algorithm fails due to packets being > corrupted? > > ----- Original Message ----- > From: [email protected] <[email protected]> > To: [email protected] <[email protected]> > Sent: Mon Dec 14 14:16:31 2009 > Subject: sshd: invalid public DH value > > Has anybody seen these in their logs? > > Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1 > Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value > > Any idea what they mean? We get lots of ssh probes, most of which can > be ignored, but I've never seen this sshd message before. > Could somebody be probing for a buffer overflow? > > We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux, > kernel 2.6.24-26. >
