[GRLUG] Rogue SSH connections
megadave
megadave at gmail.com
Sun Oct 6 21:16:49 EDT 2013
Are these fully established connections? If not, perhaps they are SYN
attack with a spoofed source address.
On Sun, Oct 6, 2013 at 8:45 PM, L. V. Lammert <lvl at omnitec.net> wrote:
> On Sun, 6 Oct 2013, Adam Tauno Williams wrote:
>
>> 'netstat --listen --tcp --inet' would be better, or 'netstat --listen
>> --tcp --net --program --numeric'
>>
> Interesting, .. with more checking, I see that there is a connection open
> from .252, which spawned a root environment:
>
> lvl sshd 18593 5* internet stream tcp 0xd9041350
> 206.197.251.191:2206 <-- 206.197.251.252:59996
> root sshd 5767 5* internet stream tcp 0xd9041350
> 206.197.251.191:2206 <-- 206.197.251.252:59996
>
> Unfortunately, no open port shows on the source machine (.252) at ALL:
>
> # netstat -tanp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> PID/Program name
> tcp 0 0 0.0.0.0:2206 0.0.0.0:* LISTEN
> 2991/sshd
> tcp 0 48 206.197.251.252:2206 206.197.251.191:14458
> ESTABLISHED 11094/sshd: lvl [pr
> tcp 0 0 :::2206 :::* LISTEN
> 2991/sshd
>
> *Except* for the connection I am using (the 14456). Stranger & stranger!!
>
> Lee
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
More information about the grlug
mailing list