daxue

Wrong SSH login blocking?

3 posts in this topic

Remote host/server: in our lab, a ssh server (should be a F-Secure SSH Server), Windows XP, KIS installed

 

Local host/client: at home, F-Secure SSH Client, Windows XP pro sp2, KIS 7.0.0.125 with latest update

 

Problem description: When I login from client to the server through VPN, the following "intrusion" was intercepted by Kaspersky (an alarm shown) and I failed to login to the server.

 

"Intrusion.Win.PuttySSH.grt.buffer-overflow.exploit", xxx.xxx.xx.xx (server IP), TCP, xxxx (port)

 

And the client popped up a message:

 

Server responded "Connection closed by remote host".

 

The connection to the remote host was lost. This usually means that your network connection went down or that the remote host was rebooted. Most network outages are short, and thus trying again may work.

 

If I login again immediately, a different message popped up:

 

The host 'xxx.xxx.xx.xx' (server) is unreachable.

 

The host may be down, or there may be a problem with the network connection. Sometimes such problems can also be caused by a misconfigured firewall.

 

It seems the server restarts after 1st login, since login after certain longer time make the 1st message shown again.

 

I guess it's a wrong blocking, I want to shut off the blocking rule. But I couldn't find it in the list of blocking rules of Kaspersky settings.

 

Questions:

1) Is it a real intrusion (my server infected by virus?) ?

2) Is it just a wrong blocking ? If yes, how to shut off this blocking rule (I don't want to shut off Kaspersky)?

3) Or maybe due to some setting on the server ? e.g. server allows only 1 user, I login as a second user. This could be a problem since previously I succeeded login. At that time, I know only I was logging in. And this time, I am the second user. But how Kaspersky stopped an "intrusion" is curious.

 

Attachment: attach.rar

Thanks to Whizard's reply to my previous wrong-place post http://forum.kaspersky.com/index.php?showtopic=48683 , I used KLDump dumped the package by command "kldump -f r.dmp -r xxx.xxx.xx.xx -p tcp". After above 1st message shown, I stopped KLDump by Ctrl-C. Dump file in attachment with sysinfo.txt created by GetSystemInfo Parser. Screen copy of KLDump:

 

Writing captured traffic into r.dmp...

Packets/bytes captured: 6/440

Execution stopped.

Share this post


Link to post
Share on other sites

The blocking could indeed be a false alarm. I would suggest to send the dump file to newattack@kaspersky.com, if it is a false alarm it will be fixed.

Share this post


Link to post
Share on other sites
The blocking could indeed be a false alarm. I would suggest to send the dump file to newattack@kaspersky.com, if it is a false alarm it will be fixed.

 

Thanks. Sent already.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now