Hello all,
I am seeing something a little odd when I view my network connections
with iptstate - for those who don't know it, it's kind of like top for
network connections. This is the output:
IPTables - State Top
Version: 1.2.1 Sort: SrcIP s to change sorting
Source IP Destination IP Proto State TTL
155.247.228.161,1025 216.158.52.108,22 tcp ESTABLISHED 82:48:12
192.168.0.1,631 192.168.0.255,631 udp 0:00:10
192.168.0.5,35574 216.158.52.98,22 tcp ESTABLISHED 119:59:59
192.168.0.5,32819 204.183.80.2,53 udp 0:00:48
192.168.0.5,35575 192.168.0.1,22 tcp ESTABLISHED 119:59:59
This box is firewall/NAT for a LAN, so all the 192.168.x.x addresses are
fine. It's the 155.x.x.x ssh'ing in that's bothering me.
steve@gashuffer:~$ ps ax | grep ssh
237 ? S 0:00 /usr/sbin/sshd
23217 ? S 0:00 /usr/bin/ssh-agent sh /home/steve/.xsession
23310 pts/1 S 0:00 ssh mercury
23329 pts/2 S 0:00 ssh hadrian
25407 pts/3 S 0:00 grep ssh
netstat only shows the 2 outgoing connections - nothing coming in. I
kind of suspect this is a stale entry (especially with that TTL, which
is slowly counting down, unlike the two outgoing ones) from an ssh
session I had over the weekend, but I logged out cleanly (I thought). I
have heard of rootkits that hide their tracks from ps and such, but over
ssh?
Anybody seen this kind of thing before? Should I be worried? I suppose
I should mention that chkrootkit came back clean, FWIW.
--
------------------------------------------------------------------------------
|Stephen Gran | Don't abandon hope: your Tom Mix decoder |
|steve@lobefin.net | ring arrives tomorrow. |
|http://www.lobefin.net/~steve | |
| | |
------------------------------------------------------------------------------
Attachment:
pgpfnw5K0622R.pgp
Description: PGP signature