[GRLUG] Rogue SSH Connections
L. V. Lammert
lvl at omnitec.net
Mon Oct 7 16:49:27 EDT 2013
On Mon, 7 Oct 2013, Mark Farver wrote:
> Check for crons?
>
Done that, .. nothing except standardones.
> Enable network audit logs on selinux?
>
Don't use it.
> Flush the connections on the BSD box and see if they return.
>
They do, unfortunately.
I can SEE a packet originating on the Linux box every so often:
# tcpdump -A dst 206.197.251.191
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:42:16.254303 IP marvel.omnitec.net.60323 > apollo.omnitec.net.ssh:
Flags [P.], seq 2576625054:2576625086, ack 3719790227, win 164, options
[nop,nop,TS val 406652187 ecr 4170988506], length 32
E..T.. at .?.................-...~............
.=....;....6.i.+.!K......ER....!5..T....
How could a process keep a port optn, yet there be no way to observe the
port in a Linux kernel?
Lee
-------------- next part --------------
_______________________________________________
grlug mailing list
grlug at grlug.org
http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
More information about the grlug
mailing list