[GRLUG] Rogue SSH connections
L. V. Lammert
lvl at omnitec.net
Sun Oct 6 20:45:17 EDT 2013
On Sun, 6 Oct 2013, Adam Tauno Williams wrote:
> 'netstat --listen --tcp --inet' would be better, or 'netstat --listen
> --tcp --net --program --numeric'
>
Interesting, .. with more checking, I see that there is a connection open
from .252, which spawned a root environment:
lvl sshd 18593 5* internet stream tcp 0xd9041350
206.197.251.191:2206 <-- 206.197.251.252:59996
root sshd 5767 5* internet stream tcp 0xd9041350
206.197.251.191:2206 <-- 206.197.251.252:59996
Unfortunately, no open port shows on the source machine (.252) at ALL:
# netstat -tanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:2206 0.0.0.0:* LISTEN
2991/sshd
tcp 0 48 206.197.251.252:2206 206.197.251.191:14458
ESTABLISHED 11094/sshd: lvl [pr
tcp 0 0 :::2206 :::* LISTEN
2991/sshd
*Except* for the connection I am using (the 14456). Stranger & stranger!!
Lee
More information about the grlug
mailing list