Community discussions

 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

SSH-2.0-ROSSSH? in my Mikrotik LOG

Fri Apr 28, 2017 10:44 pm

Hi,

I just wondering why I have in my router LOG still records

including name of Mikrotik router and "SSH-2.0-ROSSSH?"

This looks like something bad ...

https://www.exploit-db.com/exploits/28056/
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Sat Apr 29, 2017 7:20 am

It would seem you don't have anything to worry about unless you are running very old code.

viewtopic.php?t=76310#p384465

It's incredibly important we all work to keep our devices up to date. The old adage of unboxing a router, setting it up and forgetting about it just isn't safe. It wasn't before and it definitely isn't now.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Sat Apr 29, 2017 1:04 pm

Thank's for explanation. I have most current version (6.39 now).

If this not concern to those who have current firmware - so why this message is in my router log ?
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Mon May 01, 2017 9:29 pm

I don't get that message in my log on 6.38.5. Could you post a chunk of your log showing the message in particular?
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Wed May 03, 2017 9:52 pm

I see over there in rows with the title "Router SSH-2.0-ROSSSH?".
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Msg-Type = discover
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Host-Name = "Router"
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Client-Id = 01-XX-XX-XX-XX-XX-95
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router sending string
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router SSH-2.0-ROSSSH?
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Wed May 03, 2017 10:50 pm

What are your logging settings?
/system logging print
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Wed May 03, 2017 11:12 pm

 /system logging print
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                           ACTION                          PREFIX    
 0  * info                             remote                                    
 1  * error                            remote                                    
 2  * warning                          remote                                    
 3  * critical                         remote                                    
 4    ovpn                             remote                                    
 5    route                            remote                                    
 6    firewall                         remote                                    
 7    certificate                      remote                                    
 8    debug                            remote 
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Wed May 03, 2017 11:32 pm

Thanks, you have debug on. I also don't see the topics displayed in your log message. Is your syslog server truncating that part of the message? It'd be right before the actual message text. Here's a message from mine:
15:33:34 ssh,debug,packet packet create: 94
The topics would help us tell where it's coming from.

Also it appears you may be running CAPsMAN. Is it possible it's trying to control a device with really old code that may be vulnerable to that old exploit?
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Thu May 04, 2017 9:23 pm

May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router     Host-Name = "Router"
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router     Client-Id = 01-XX-XX-XX-XX-XX-95
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router received Router Advertisement on  interface=ether1-gateway
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router received prefix 2001:db8:1::/64
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router sending string
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router SSH-2.0-ROSSSH?
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router 
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router closing connection: <connection error> ::ffff:NNN.NN.NNN.NNN:57954 (4)
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router skip Router Advertisement sending on pppoe-out1: no prefixes to send
May  4 20:16:57 192.168.3.250 May  4 20:16:57 Router dhcp-client on ether1-gateway sending discover with id 787888673 to 255.255.255.255
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Thu May 04, 2017 9:39 pm

Thanks for the additional post but I think your Syslog server is trimming the topics out.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Fri May 05, 2017 11:08 pm

What can I do to find out this problem?
 
idlemind
Forum Guru
Forum Guru
Posts: 1102
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Fri May 05, 2017 11:31 pm

If you stop logging DEBUG I imagine it will go away on it's own. I can turn on DEBUG on one of mine that is dumping to syslog to see if I see that string with any topics.

Long term you probably want to look into why your Syslog server is truncating topics off of the messages.
 
MikroTikFan
Member Candidate
Member Candidate
Topic Author
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Mon Jun 12, 2017 12:23 am

Right, after switching off Debug it's gone !

Thanks

Question is why this is included in DEBUG log mode ?

Who is online

Users browsing this forum: MSN [Bot] and 92 guests