We are seeing events triggered by this signature that appear to be invalid. SSH2 connection attempts appear to be triggering these events, when the exploit is clearly for SSH1. The signature is utilizing the SSH1 engine, but ssh1 is disabled on the host we are seeing connection attemps to.
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to uaxxxx [xxx.xxx.xxx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/b687511/.ssh/identity type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2-pwexp24
debug1: match: OpenSSH_3.7.1p2-pwexp24 pat OpenSSH*
Protocol major versions differ: 1 vs. 2
Am I missing something or is there a bug in this signature?
Thanks
Chris