Hello all,
I am seeing something a little odd when I view my network connections
with iptstate - for those who don't know it, it's kind of like top for
network connections. This is the output:
IPTables - State Top
Version: 1.2.1 Sort: SrcIP s to change sorting
Source IP Destination IP Proto State TTL
155.247.228.161,1025 216.158.52.108,22 tcp ESTABLISHED 82:48:12
192.168.0.1,631 192.168.0.255,631 udp 0:00:10
192.168.0.5,35574 216.158.52.98,22 tcp ESTABLISHED 119:59:59
192.168.0.5,32819 204.183.80.2,53 udp 0:00:48
192.168.0.5,35575 192.168.0.1,22 tcp ESTABLISHED 119:59:59This box is firewall/NAT for a LAN, so all the 192.168.x.x addresses are fine. It's the 155.x.x.x ssh'ing in that's bothering me. steve@gashuffer:~$ ps ax | grep ssh 237 ? S 0:00 /usr/sbin/sshd 23217 ? S 0:00 /usr/bin/ssh-agent sh /home/steve/.xsession 23310 pts/1 S 0:00 ssh mercury 23329 pts/2 S 0:00 ssh hadrian 25407 pts/3 S 0:00 grep ssh netstat only shows the 2 outgoing connections - nothing coming in. I kind of suspect this is a stale entry (especially with that TTL, which is slowly counting down, unlike the two outgoing ones) from an ssh session I had over the weekend, but I logged out cleanly (I thought). I have heard of rootkits that hide their tracks from ps and such, but over ssh? Anybody seen this kind of thing before? Should I be worried? I suppose I should mention that chkrootkit came back clean, FWIW. -- ------------------------------------------------------------------------------ |Stephen Gran | Don't abandon hope: your Tom Mix decoder | |[EMAIL PROTECTED] | ring arrives tomorrow. | |http://www.lobefin.net/~steve | | | | | ------------------------------------------------------------------------------
msg07794/pgp00000.pgp
Description: PGP signature
