[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Odd iptstate entry

On Sun, Nov 17, 2002 at 11:18:25PM -0500, Stephen Gran wrote:
> Hello all,
> I am seeing something a little odd when I view my network connections
> with iptstate - for those who don't know it, it's kind of like top for
> network connections.  This is the output:
>                                                     IPTables - State Top
> Version: 1.2.1        Sort: SrcIP           s to change sorting
> Source IP             Destination IP        Proto   State        TTL    
>,1025,22     tcp     ESTABLISHED   82:48:12
>,631,631     udp                    0:00:10
>,35574,22      tcp     ESTABLISHED  119:59:59
>,32819,53       udp                    0:00:48
>,35575,22        tcp     ESTABLISHED  119:59:59
> This box is firewall/NAT for a LAN, so all the 192.168.x.x addresses are
> fine.  It's the 155.x.x.x ssh'ing in that's bothering me.
> steve@gashuffer:~$ ps ax | grep ssh
>   237 ?        S      0:00 /usr/sbin/sshd
> 23217 ?        S      0:00 /usr/bin/ssh-agent sh /home/steve/.xsession
> 23310 pts/1    S      0:00 ssh mercury
> 23329 pts/2    S      0:00 ssh hadrian
> 25407 pts/3    S      0:00 grep ssh
> netstat only shows the 2 outgoing connections - nothing coming in.  I
> kind of suspect this is a stale entry (especially with that TTL, which
> is slowly counting down, unlike the two outgoing ones) from an ssh
> session I had over the weekend, but I logged out cleanly (I thought).  I
> have heard of rootkits that hide their tracks from ps and such, but over
> ssh?

 Probably someone scanned you, and then left their end of the connection

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Reply to: