Mailing List Archive

sshd: invalid public DH value
Has anybody seen these in their logs?

Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value

Any idea what they mean? We get lots of ssh probes, most of which can
be ignored, but I've never seen this sshd message before.
Could somebody be probing for a buffer overflow?

We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
kernel 2.6.24-26.
Re: sshd: invalid public DH value [ In reply to ]
These messages only started appearing in the latest botnet ssh weak
user/password fishing expedition. I don't think the messages are from
a legitimate client.

Yes, they could be due to corrupted packets from one of the bots on a
weak connection, but I would like to hear if anybody can think of
other possibilities.



On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy
<ayampolskiy@gilt.com> wrote:
> Perhaps Diffie-Hellman key exchange algorithm fails due to packets being
> corrupted?
>
> ----- Original Message -----
> From: listbounce@securityfocus.com <listbounce@securityfocus.com>
> To: secureshell@securityfocus.com <secureshell@securityfocus.com>
> Sent: Mon Dec 14 14:16:31 2009
> Subject: sshd: invalid public DH value
>
> Has anybody seen these in their logs?
>
>   Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
>   Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value
>
> Any idea what they mean?  We get lots of ssh probes, most of which can
> be ignored, but I've never seen this sshd message before.
> Could somebody be probing for a buffer overflow?
>
> We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
> kernel 2.6.24-26.
>
Re: sshd: invalid public DH value [ In reply to ]
I would guess that the "DH" refers to Diffie-Hellman. And if memory serves
me correctly, the Diffie-Hellman negotiation is one of the earliest stages
of connection negotiation.

So is it possible that these logs represent an attempt to connect on the
SSH daemon's port, from something that is NOT an SSH client? For instance,
what kind of log entry do you get if you try to telnet to the SSH port?

On Tue, 15 Dec 2009, J Jude wrote:

> These messages only started appearing in the latest botnet ssh weak
> user/password fishing expedition. I don't think the messages are from
> a legitimate client.
>
> Yes, they could be due to corrupted packets from one of the bots on a
> weak connection, but I would like to hear if anybody can think of
> other possibilities.
>
>
>
> On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy
> <ayampolskiy@gilt.com> wrote:
> > Perhaps Diffie-Hellman key exchange algorithm fails due to packets being
> > corrupted?
> >
> > ----- Original Message -----
> > From: listbounce@securityfocus.com <listbounce@securityfocus.com>
> > To: secureshell@securityfocus.com <secureshell@securityfocus.com>
> > Sent: Mon Dec 14 14:16:31 2009
> > Subject: sshd: invalid public DH value
> >
> > Has anybody seen these in their logs?
> >
> >   Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
> >   Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value
> >
> > Any idea what they mean?  We get lots of ssh probes, most of which can
> > be ignored, but I've never seen this sshd message before.
> > Could somebody be probing for a buffer overflow?
> >
> > We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
> > kernel 2.6.24-26.
> >
>
>

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@anzio.com
company e-mail: rsi@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA