Strange openssh-server log in /var/log/auth.log

Question

I found a very strange entry in my log files

Jan 29 01:35:30 vs-proj-handy sshd[5316]: Received disconnect from 130.207.203.56: 11: These aren't the droids we're looking for. [preauth] 

I guess the message "These aren't the droids we're looking for." is some kind of quit messsage? But if it is, how can i reproduce that? I couldn't find any place where opensshd stores its standard disconnect strings.

So is this quit message a standard one OR if not, how can i reproduce that?

Answer 1

To directly answer your question, that message comes from the client. The server simply records whatever message the client sent before disconnecting.

I had the exact same message in my log files this morning. The IP address belongs to Georgia Tech. On my server, they didn't try to login or do anything malicious. They just connected and then disconnected leaving that message.

I'm going to go out on a limb and say it was probably some students at Georgia Tech using code from a libssh2 example for laughs. See http://www.libssh2.org/examples/ssh2_agent.html, search for "Normal Shutdown, Thank you for playing" to see where a custom disconnect message could be easily inserted.

Answer 2

I sent a note to the GA Tech abuse address after seeing 5 of these in my logs. I received a prompt reply that:

This activity is part of an ongoing research project here at Georgia Tech.

I'm surprised their custom disconnect message does not provide information on the research project.