[GRLUG] Rogue SSH Connections
L. V. Lammert
lvl at omnitec.net
Mon Oct 7 15:58:09 EDT 2013
Got one! The Linux box tried to open an ssh connection from 60301 on .252,
.. which leaves the two connections described previously.
On the BSD box:
lvl sshd 28242 5* internet stream tcp 0xd8fcc7ec 206.197.251.191:2206 <-- 206.197.251.252:60301
root sshd 9103 5* internet stream tcp 0xd8fcc7ec 206.197.251.191:2206 <-- 206.197.251.252:60301
tcpdump shows the connection from .252:
14:28:15.259420 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: S
2950403490:2950403490(0) win 14600 <mss 1460,sackOK,timestamp 405541957
0,nop,wscale 7> (DF)
14:28:15.259723 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: . ack
1733911734 win 115 <nop,nop,timestamp 405541957 3356340392> (DF)
BUT there is no process using 60301 on the Linux box:
# lsof | grep 60301
<blank>
Something is opening a connection and then dropping, .. there is a keypair
for user lvl (me), but with it disabled nothing changed.
Any more thoughts on how to isolate the source on the Linux box?
Thanks!
Lee
More information about the grlug
mailing list