[GRLUG] Rogue SSH connections

megadave megadave at gmail.com
Sun Oct 6 21:16:49 EDT 2013


Are these fully established connections? If not, perhaps they are SYN
attack with a spoofed source address.



On Sun, Oct 6, 2013 at 8:45 PM, L. V. Lammert <lvl at omnitec.net> wrote:
> On Sun, 6 Oct 2013, Adam Tauno Williams wrote:
>
>> 'netstat --listen --tcp --inet' would be better, or 'netstat --listen
>> --tcp --net --program --numeric'
>>
> Interesting, .. with more checking, I see that there is a connection open
> from .252, which spawned a root environment:
>
> lvl      sshd       18593    5* internet stream tcp 0xd9041350
> 206.197.251.191:2206 <-- 206.197.251.252:59996
> root     sshd        5767    5* internet stream tcp 0xd9041350
> 206.197.251.191:2206 <-- 206.197.251.252:59996
>
> Unfortunately, no open port shows on the source machine (.252) at ALL:
>
> # netstat -tanp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> PID/Program name
> tcp        0      0 0.0.0.0:2206            0.0.0.0:*               LISTEN
> 2991/sshd
> tcp        0     48 206.197.251.252:2206    206.197.251.191:14458
> ESTABLISHED 11094/sshd: lvl [pr
> tcp        0      0 :::2206                 :::*                    LISTEN
> 2991/sshd
>
> *Except* for the connection I am using (the 14456). Stranger & stranger!!
>
>         Lee
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug


More information about the grlug mailing list