[GRLUG] Rogue SSH Connections

L. V. Lammert lvl at omnitec.net
Mon Oct 7 16:49:27 EDT 2013


On Mon, 7 Oct 2013, Mark Farver wrote:

> Check for crons?
>
Done that, .. nothing except standardones.

> Enable network audit logs on selinux?
>
Don't use it.

> Flush the connections on the BSD box and see if they return.
>
They do, unfortunately.

I can SEE a packet originating on the Linux box every so often:

# tcpdump -A dst 206.197.251.191
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:42:16.254303 IP marvel.omnitec.net.60323 > apollo.omnitec.net.ssh:
Flags [P.], seq 2576625054:2576625086, ack 3719790227, win 164, options
[nop,nop,TS val 406652187 ecr 4170988506], length 32
E..T.. at .?.................-...~............
.=....;....6.i.+.!K......ER....!5..T....

How could a process keep a port optn, yet there be no way to observe the
port in a Linux kernel?

	Lee
-------------- next part --------------
_______________________________________________
grlug mailing list
grlug at grlug.org
http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug


More information about the grlug mailing list