[GRLUG] Rogue SSH Connections

Adam Tauno Williams awilliam at whitemice.org
Mon Oct 7 16:51:28 EDT 2013


On Mon, 2013-10-07 at 15:49 -0500, L. V. Lammert wrote:
> They do, unfortunately.
> I can SEE a packet originating on the Linux box every so often:
> # tcpdump -A dst 206.197.251.191
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 15:42:16.254303 IP marvel.omnitec.net.60323 > apollo.omnitec.net.ssh:
> Flags [P.], seq 2576625054:2576625086, ack 3719790227, win 164, options
> [nop,nop,TS val 406652187 ecr 4170988506], length 32
> E..T.. at .?.................-...~............
> .=....;....6.i.+.!K......ER....!5..T....
> How could a process keep a port optn, yet there be no way to observe the
> port in a Linux kernel?

Is it possible the socket is half-open?  Or waiting to complete close
[CLOSE_WAIT]?

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA



More information about the grlug mailing list