Page 1 of 1

SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Fri Apr 28, 2017 10:44 pm
by MikroTikFan
Hi,

I just wondering why I have in my router LOG still records

including name of Mikrotik router and "SSH-2.0-ROSSSH?"

This looks like something bad ...

https://www.exploit-db.com/exploits/28056/

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Sat Apr 29, 2017 7:20 am
by idlemind
It would seem you don't have anything to worry about unless you are running very old code.

viewtopic.php?t=76310#p384465

It's incredibly important we all work to keep our devices up to date. The old adage of unboxing a router, setting it up and forgetting about it just isn't safe. It wasn't before and it definitely isn't now.

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Sat Apr 29, 2017 1:04 pm
by MikroTikFan
Thank's for explanation. I have most current version (6.39 now).

If this not concern to those who have current firmware - so why this message is in my router log ?

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Mon May 01, 2017 9:29 pm
by idlemind
I don't get that message in my log on 6.38.5. Could you post a chunk of your log showing the message in particular?

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Wed May 03, 2017 9:52 pm
by MikroTikFan
I see over there in rows with the title "Router SSH-2.0-ROSSSH?".
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Msg-Type = discover
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Host-Name = "Router"
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router     Client-Id = 01-XX-XX-XX-XX-XX-95
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router sending string
May  3 20:40:54 192.168.3.250 May  3 20:40:54 Router SSH-2.0-ROSSSH?

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Wed May 03, 2017 10:50 pm
by idlemind
What are your logging settings?
/system logging print

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Wed May 03, 2017 11:12 pm
by MikroTikFan
 /system logging print
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                           ACTION                          PREFIX    
 0  * info                             remote                                    
 1  * error                            remote                                    
 2  * warning                          remote                                    
 3  * critical                         remote                                    
 4    ovpn                             remote                                    
 5    route                            remote                                    
 6    firewall                         remote                                    
 7    certificate                      remote                                    
 8    debug                            remote 

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Wed May 03, 2017 11:32 pm
by idlemind
Thanks, you have debug on. I also don't see the topics displayed in your log message. Is your syslog server truncating that part of the message? It'd be right before the actual message text. Here's a message from mine:
15:33:34 ssh,debug,packet packet create: 94
The topics would help us tell where it's coming from.

Also it appears you may be running CAPsMAN. Is it possible it's trying to control a device with really old code that may be vulnerable to that old exploit?

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Thu May 04, 2017 9:23 pm
by MikroTikFan
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router     Host-Name = "Router"
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router     Client-Id = 01-XX-XX-XX-XX-XX-95
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router received Router Advertisement on  interface=ether1-gateway
May  4 20:16:51 192.168.3.250 May  4 20:16:51 Router received prefix 2001:db8:1::/64
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router sending string
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router SSH-2.0-ROSSSH?
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router 
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router closing connection: <connection error> ::ffff:NNN.NN.NNN.NNN:57954 (4)
May  4 20:16:55 192.168.3.250 May  4 20:16:55 Router skip Router Advertisement sending on pppoe-out1: no prefixes to send
May  4 20:16:57 192.168.3.250 May  4 20:16:57 Router dhcp-client on ether1-gateway sending discover with id 787888673 to 255.255.255.255

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Thu May 04, 2017 9:39 pm
by idlemind
Thanks for the additional post but I think your Syslog server is trimming the topics out.

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Fri May 05, 2017 11:08 pm
by MikroTikFan
What can I do to find out this problem?

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Fri May 05, 2017 11:31 pm
by idlemind
If you stop logging DEBUG I imagine it will go away on it's own. I can turn on DEBUG on one of mine that is dumping to syslog to see if I see that string with any topics.

Long term you probably want to look into why your Syslog server is truncating topics off of the messages.

Re: SSH-2.0-ROSSSH? in my Mikrotik LOG

Posted: Mon Jun 12, 2017 12:23 am
by MikroTikFan
Right, after switching off Debug it's gone !

Thanks

Question is why this is included in DEBUG log mode ?