[Cialug] Rogue SSH Connections
Barry Von Ahsen
vonahsen at gmail.com
Mon Oct 7 15:12:36 CDT 2013
lsof needs -i4 to show internet "files" - does
# lsof -i4 | grep 60301
show anything?
or to confirm I'm not crazy, does
# lsof -i4 | grep <some port netstat shows open>
work?
-barry
On Oct 7, 2013, at 3:01 PM, L. V. Lammert <lvl at omnitec.net> wrote:
> Having a problem with ssh connections being opened from a Linux box to a
> BSD box (here in the shop), .. in the example below, the Linux box tried
> to open an ssh connection from 60301 on .252,.. which leaves the two
> connections open - one lvl (me), and one root:
>
> On the BSD box:
>
> lvl sshd 28242 5* internet stream tcp 0xd8fcc7ec 206.197.251.191:2206 <-- 206.197.251.252:60301
> root sshd 9103 5* internet stream tcp 0xd8fcc7ec 206.197.251.191:2206 <-- 206.197.251.252:60301
>
> tcpdump shows the connection from .252:
>
> 14:28:15.259420 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: S
> 2950403490:2950403490(0) win 14600 <mss 1460,sackOK,timestamp 405541957
> 0,nop,wscale 7> (DF)
> 14:28:15.259723 marvel.omnitec.net.60301 > apollo.omnitec.net.2206: . ack
> 1733911734 win 115 <nop,nop,timestamp 405541957 3356340392> (DF)
>
> BUT there is no process using 60301 on the Linux box:
>
> # lsof | grep 60301
>
> <blank>
>
> Something is opening a connection and then dropping it on the Linux box -
> this occurrs multiple times a day and eventually blocks sshd from
> accepting a connection.
>
> There is a keypair for user lvl (me), but with it disabled nothing
> changed.
>
> Any more thoughts on how to isolate the source on the Linux box?
>
> Thanks!
>
> Lee
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list