Got another one. Three hits so far this morning, one at 7:52, one at 8:18, and one at 8:45.
Nov 23 08:44:44 redking sshd[17649]: Bad protocol version identification 'GET
http://www.microsoft.com/ HTTP/1.0' from 199.8.89.120
Nmap results:
Interesting ports on esther.huntington.edu (199.8.89.120):
25/tcp open smtp
53/tcp open domain ISC Bind 8.4.4
80/tcp open http Microsoft IIS webserver 6.0
443/tcp closed https
Web is passworded. SMTP doesn't appear to accept standard commands. Entering HELP or HELO gets me "503 Not Implement." Then it disconnects. Server appears to be secure other than whatever port scanning it is doing. Since this one appears to be a secure university IIS machine, I'm not sure what's going on anymore. I could see Chinese students aiming for the low hanging fruit of underutilized DNS machines, but this machine seems like it'd be more of a tough nut to crack.
After some more Googling, I've seen people trying to use a web request as a buffer overflow to get an SSH, but since I don't see why anyone would think I'd be running ssh on that port, I'm not sure that makes sense. The other possibility is that this is some bot network, and once it found my port running ssh, it passed my IP/port on to the botnet, and now I'm going to be getting probed from all over. If I see more machines start knocking, it may be time to shift ports.
