[GRLUG] Rogue SSH Connections

Mark Farver mfarver at mindbent.org
Mon Oct 7 16:43:15 EDT 2013


Check for crons?  Enable network audit logs on selinux?  Flush the
connections on the BSD box and see if they return.
On Oct 7, 2013 3:58 PM, "L. V. Lammert" <lvl at omnitec.net> wrote:

> Got one! The Linux box tried to open an ssh connection from 60301 on .252,
> .. which leaves the two connections described previously.
>
> On the BSD box:
>
> lvl      sshd       28242    5* internet stream tcp 0xd8fcc7ec
> 206.197.251.191:2206 <-- 206.197.251.252:60301
> root     sshd        9103    5* internet stream tcp 0xd8fcc7ec
> 206.197.251.191:2206 <-- 206.197.251.252:60301
>
> tcpdump shows the connection from .252:
>
> 14:28:15.259420 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: S
> 2950403490:2950403490(0) win 14600 <mss 1460,sackOK,timestamp 405541957
> 0,nop,wscale 7> (DF)
> 14:28:15.259723 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: . ack
> 1733911734 win 115 <nop,nop,timestamp 405541957 3356340392> (DF)
>
> BUT there is no process using 60301 on the Linux box:
>
> # lsof | grep 60301
>
> <blank>
>
> Something is opening a connection and then dropping, .. there is a keypair
> for user lvl (me), but with it disabled nothing changed.
>
> Any more thoughts on how to isolate the source on the Linux box?
>
>         Thanks!
>
>         Lee
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20131007/532b1777/attachment.html>


More information about the grlug mailing list