New message type 98

Question

New message type 98

Closed this issue 10 years ago · 4 comments

GoogleCodeExporter commented 10 years ago

2014-03-03 07:25:14 - Incoming connection from: 61.174.51.200:2629 - 
SSH-2.0-libssh2_1.4.2
2014-03-03 07:25:14 - Failed login - Username:root Password:admin
2014-03-03 07:25:14 - Successful login - Username:root Password:123456
2014-03-03 07:25:16 - New message 98 type detected - Please raise a HonSSH 
issue on google code with the details: subsystem
2014-03-03 07:25:16 - RAW CLIENT-SERVER: '\x00\x00\x00\x05\x01\x00\x00\x00\x03'
2014-03-03 07:25:17 - Lost connection from: 61.174.51.200

Please let me know if I can provide any more details.

Original issue reported on code.google.com by KD5...@gmail.com on 3 Mar 2014 at 12:38

Answer 1 · 2015-03-16T17:39:54.000Z

Same here, I think this is the sftp-subsystem:

2014-03-03 09:17:34 - SERVER: MessageNum: 50 Encrypted 
'\x00\x00\x00\x04root\x00\x00\x00\x0essh-connection\x00\x00\x00\x08password\x00\
x00\x00\x00\x06123456'
2014-03-03 09:17:34 - CLIENT: MessageNum: 52 Encrypted ''
2014-03-03 09:17:34 - SERVER: MessageNum: 90 Encrypted 
'\x00\x00\x00\x07session\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x80\x00'
2014-03-03 09:17:34 - CLIENT: MessageNum: 91 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00'
2014-03-03 09:17:34 - SERVER: MessageNum: 98 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\tsubsystem\x01\x00\x00\x00\x04sftp'
2014-03-03 09:17:34 - CLIENT: MessageNum: 93 Encrypted '\x00\x00\x00\x00\x00 
\x00\x00'
2014-03-03 09:17:34 - CLIENT: MessageNum: 99 Encrypted '\x00\x00\x00\x00'
2014-03-03 09:17:35 - SERVER: MessageNum: 94 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\t\x00\x00\x00\x05\x01\x00\x00\x00\x03'
2014-03-03 09:17:35 - CLIENT: MessageNum: 94 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00|\x02\x00\x00\x00\x03\x00\x00\x00\x
18posix-rename@openssh.com\x00\x00\x00\x011\x00\x00\x00\x13statvfs@openssh.com\x
00\x00\x00\x012\x00\x00\x00\x14fstatvfs@openssh.com\x00\x00\x00\x012\x00\x00\x00
\x14hardlink@openssh.com\x00\x00\x00\x011'
2014-03-03 09:17:35 - SERVER: MessageNum: 96 Encrypted '\x00\x00\x00\x00'
2014-03-03 09:17:35 - CLIENT: MessageNum: 96 Encrypted '\x00\x00\x00\x00'
2014-03-03 09:17:35 - CLIENT: MessageNum: 98 Encrypted 
'\x00\x00\x00\x00\x00\x00\x00\x0bexit-status\x00\x00\x00\x00\x00'
2014-03-03 09:17:35 - CLIENT: MessageNum: 97 Encrypted '\x00\x00\x00\x00'
2014-03-03 09:17:36 - SERVER: MessageNum: 97 Encrypted '\x00\x00\x00\x00'

Original comment by flofriha...@gmail.com on 3 Mar 2014 at 2:06

Answer 2 · 2015-03-16T17:39:55.000Z

Yeah, it looks to be SFTP traffic. I currently have not implemented it and 
won't get round to it for a while but I'll keep this issue open until I get 
round to it.

Original comment by tnn...@googlemail.com on 3 Mar 2014 at 4:02

Changed state: Accepted

Answer 3 · 2015-03-16T17:39:55.000Z

Forgot to say, for now I recommend disabling SFTP in the sshd_config:
# Subsystem sftp /usr/lib/openssh/sftp-server

Original comment by tnn...@googlemail.com on 4 Mar 2014 at 6:48

Answer 4 · 2015-03-16T17:39:55.000Z

For now I have disabled SFTP at the HonSSH level. Eventually I will code an 
SFTP parser and extract their activity.

Original comment by tnn...@googlemail.com on 30 Mar 2014 at 3:23

Changed state: Fixed