questionable content in /var/log/messages

sovietpower · 05-27-2005, 05:06 PM

I went to vnc to my server and it didn't work. So I sshed into to see what was going on. I found out that my webserver isnt running and some other stuff.
I checked /var/log/messages and found some weird stuff.

May 25 22:14:09 kremlin syslogd 1.4.1: restart
May 25 22:14:29 kremlin sshd[605]: Server listening on 0.0.0.0 port 1025.
May 25 22:18:34 kremlin sshd[638]: Bad protocol version identification '\005' from 71.109.65.130
May 25 22:34:09 kremlin -- MARK --
May 25 22:46:35 kremlin sshd[641]: Bad protocol version identification '\005' from 71.109.65.130
May 25 23:14:09 kremlin -- MARK --
May 25 23:34:09 kremlin -- MARK --
May 25 23:54:09 kremlin -- MARK --
May 26 00:14:09 kremlin -- MARK --
May 26 00:21:11 kremlin sshd[697]: Bad protocol version identification '\005' from 71.109.71.94
May 26 00:34:09 kremlin -- MARK --
May 26 00:39:39 kremlin sshd[699]: Bad protocol version identification '\005' from 71.1.248.237
May 26 00:54:09 kremlin -- MARK --
May 26 01:14:09 kremlin -- MARK --
May 26 01:34:09 kremlin -- MARK --
May 26 01:54:09 kremlin -- MARK --
May 26 02:14:09 kremlin -- MARK --
May 26 02:15:55 kremlin sshd[758]: Bad protocol version identification '\005' from 71.109.12.69
May 26 02:34:09 kremlin -- MARK --
May 26 02:54:09 kremlin -- MARK --
May 26 03:14:09 kremlin -- MARK --
May 26 03:34:09 kremlin -- MARK --
May 26 03:54:09 kremlin -- MARK --
May 26 04:14:09 kremlin -- MARK --
May 26 04:34:09 kremlin -- MARK --
May 26 04:54:09 kremlin -- MARK --
May 26 05:14:09 kremlin -- MARK --
May 26 05:16:07 kremlin sshd[893]: Bad protocol version identification '\005' from 71.109.29.168
May 26 05:34:09 kremlin -- MARK --
May 26 05:54:09 kremlin -- MARK --
May 26 06:14:09 kremlin -- MARK --
May 26 06:34:09 kremlin -- MARK --
May 26 06:54:09 kremlin -- MARK --

As you may see that my ssh server runs on 1025 it is on purpose. I am wondering why the --MARK-- s are there. The restart of the machine may have been by me but I don't remember. From what I understand the '\005' is command trying to be executed and obviously the ip is remote. Also in the log it shows when I connected with ssh and says I connect from a different port like in the 3000s why is that when I specified to connect on port 1025?

Thx - sovietpower

Capt_Caveman · 05-28-2005, 01:08 PM

As you may see that my ssh server runs on 1025 it is on purpose. I am wondering why the --MARK-- s are there.
The "MARK" message is simply a message automatically logged every 20 minutes. That way if syslog dies for some reason, you'll see a gap in the "MARK" messages. In systems that don't use that feature, it can be very hard to tell if logging has failed just by looking at the logs.

From what I understand the '\005' is command trying to be executed and obviously the ip is remote.
Not entirely sure what that message is, but I wouldn't be surprised if it's a result of port scanning. A number of scanners like nmap will do service interrogation to identify daemon versions and services running on alternative ports. If the scanner tried a protocol (like nfs), it could cause those errors. There are also a number of trojans that use that as a default port, so it could also be someone trying to find compromised machines. It might be helpful to run tcpdump for a while and capture some packets in order to more accurately identify the cause.

Also in the log it shows when I connected with ssh and says I connect from a different port like in the 3000s why is that when I specified to connect on port 1025?
Could you post an example? I believe you're seeing the source port that you are connecting with, not the destination port. The source port will be variable and is usually >1023 (the actual ranges used are set in /proc/sys/net/ipv4/).