On Sun, Nov 17, 2002 at 11:18:25PM -0500, Stephen Gran wrote: > Hello all, > > I am seeing something a little odd when I view my network connections > with iptstate - for those who don't know it, it's kind of like top for > network connections. This is the output: > IPTables - State Top > Version: 1.2.1 Sort: SrcIP s to change sorting > Source IP Destination IP Proto State TTL > 155.247.228.161,1025 216.158.52.108,22 tcp ESTABLISHED 82:48:12 > 192.168.0.1,631 192.168.0.255,631 udp 0:00:10 > 192.168.0.5,35574 216.158.52.98,22 tcp ESTABLISHED 119:59:59 > 192.168.0.5,32819 204.183.80.2,53 udp 0:00:48 > 192.168.0.5,35575 192.168.0.1,22 tcp ESTABLISHED 119:59:59 > > This box is firewall/NAT for a LAN, so all the 192.168.x.x addresses are > fine. It's the 155.x.x.x ssh'ing in that's bothering me. > > steve@gashuffer:~$ ps ax | grep ssh > 237 ? S 0:00 /usr/sbin/sshd > 23217 ? S 0:00 /usr/bin/ssh-agent sh /home/steve/.xsession > 23310 pts/1 S 0:00 ssh mercury > 23329 pts/2 S 0:00 ssh hadrian > 25407 pts/3 S 0:00 grep ssh > > netstat only shows the 2 outgoing connections - nothing coming in. I > kind of suspect this is a stale entry (especially with that TTL, which > is slowly counting down, unlike the two outgoing ones) from an ssh > session I had over the weekend, but I logged out cleanly (I thought). I > have heard of rootkits that hide their tracks from ps and such, but over > ssh?
Probably someone scanned you, and then left their end of the connection hanging. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
