Strange openssh-server log in / var / log / auth.log

Question

Strange openssh-server log in / var / log / auth.log

I found a very strange entry in my log files

Jan 29 01:35:30 vs-proj-handy sshd[5316]: Received disconnect from 130.207.203.56: 11: These aren't the droids we're looking for. [preauth]

I think the message "These are not the droids we are looking for." something like quit eating? But if so, how can I reproduce it? I could not find places where opensshd stores standard disconnect strings.

So this exit message is standard or if not, how can I reproduce this?

+6

logging openssh sshd

tuxmania Jan 29 '14 at 13:13

source share

2 answers

I sent a note to the abuse of GA Tech after viewing 5 of them in my magazines. I got a quick response that:

This activity is part of an ongoing research project here at Georgia Tech.

I am surprised that their custom disconnect message does not provide information about a research project.

+1

eye Mar 16 '14 at 19:18

source share

Nathan crawford · Accepted Answer · 2014-01-29T15:32:50+0000

To answer your question, this message comes from the client. The server simply records all messages sent by the client before shutting down.

I had the same message in my log files this morning. IP address belongs to Georgia Tech. On my server, they did not try to log in or do something malicious. They simply connected, and then disconnected, leaving this message.

I am going to go on a limb and say that these are probably some students at Georgia Tech, using the code from the libssh2 example for laughs. See http://www.libssh2.org/examples/ssh2_agent.html , find “Normal Shutdown, Thanks for the Game” to see how easy it is to insert a custom shutdown message.

Strange openssh-server log in / var / log / auth.log

More articles: