RE: sshd sending packets outside lan during local connection

["Jeremy L. Gaddis" <jlgaddis@blueriver.net>]

Turn BIND's query logging on and see what it's trying to
lookup.  You can do this from the shell (as root) by
entering "ndc querylog".  Then take a look at your log
files and see exactly what it's doing.  As someone pointed
out, I would also guess that it's attempting to perform
lookups on the IP that you're connecting from.

j.

--
Jeremy L. Gaddis     <jlgaddis@blueriver.net>

-----Original Message-----
From: Jeff Stevens [mailto:jeff_stevens40@hotmail.com]
Sent: Sunday, January 13, 2002 10:27 PM
To: debian-security@lists.debian.org
Subject: sshd sending packets outside lan during local connection


I am using Debian Potato 2.2.19ide-pci and running openssh (3.0.2p1) and
bind (version: 1:8.2.3-0.potato.1).  It is also being used as a firewall
for
a local network.  It has 2 nic cards, one with an internal ip and one
with
an external ip.
When I ssh locally (to the internal ip)to this firewall it sends out
packets
to my ISP.  If I unplug the "external ip" nic before entering the
password
then the connection pauses for about a minute before connecting.

I am no expert as I have just started using Debian, but it seems like
the
password is being sniffed.  I'm not exactly sure what the tcpdump output
shows (ATTACHED with route info) but it seems to be doing a domain name
look
up (but I could be wrong).  I have no idea why it would have to do a
domain
look-up because I connect via ip address (ssh root@192.168.x.x) which is
inside the local network.

Earlier I made the mistake of offering bind publicly.  I recently
changed
this but I don't know if I was compromised during the time it was
public.  I
am hoping this is just a misconfiguration problem.  Any suggestions
would be
greatly appreciated.  Thanks in advance.

--Jeff
Debian user


_________________________________________________________________
Join the world?s largest e-mail service with MSN Hotmail.
http://www.hotmail.com