RE: Odd iptstate entry

To: "'Peter Cordes'" <peter@llama.nslug.ns.ca>, "'Debian Security'" <debian-security@lists.debian.org>
Subject: RE: Odd iptstate entry
From: "Vince Hillier" <vdh@plutonium.homeunix.com>
Date: Mon, 18 Nov 2002 22:31:31 -0800
Message-id: <[🔎] 002601c28f95$4d07c890$2600a8c0@mercury>
In-reply-to: <[🔎] 20021118065222.GA5194@llama.nslug.ns.ca>

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>-----Original Message-----
>From: Peter Cordes [mailto:peter@llama.nslug.ns.ca]
>Sent: Sunday, November 17, 2002 10:52 PM
>To: Debian Security
>Subject: Re: Odd iptstate entry
>
>On Sun, Nov 17, 2002 at 11:18:25PM -0500, Stephen Gran wrote:
>> Hello all,
>>
>> I am seeing something a little odd when I view my network connections
>> with iptstate - for those who don't know it, it's kind of like top for
>> network connections.  This is the output:
>>                                                     IPTables - State Top
>> Version: 1.2.1        Sort: SrcIP           s to change sorting
>> Source IP             Destination IP        Proto   State        TTL
>> 155.247.228.161,1025  216.158.52.108,22     tcp     ESTABLISHED
>82:48:12
>> 192.168.0.1,631       192.168.0.255,631     udp
>0:00:10
>> 192.168.0.5,35574     216.158.52.98,22      tcp     ESTABLISHED
>119:59:59
>> 192.168.0.5,32819     204.183.80.2,53       udp
>0:00:48
>> 192.168.0.5,35575     192.168.0.1,22        tcp     ESTABLISHED
>119:59:59
>>
>> This box is firewall/NAT for a LAN, so all the 192.168.x.x addresses are
>> fine.  It's the 155.x.x.x ssh'ing in that's bothering me.
>>
>> steve@gashuffer:~$ ps ax | grep ssh
>>   237 ?        S      0:00 /usr/sbin/sshd
>> 23217 ?        S      0:00 /usr/bin/ssh-agent sh /home/steve/.xsession
>> 23310 pts/1    S      0:00 ssh mercury
>> 23329 pts/2    S      0:00 ssh hadrian
>> 25407 pts/3    S      0:00 grep ssh
>>
>> netstat only shows the 2 outgoing connections - nothing coming in.  I
>> kind of suspect this is a stale entry (especially with that TTL, which
>> is slowly counting down, unlike the two outgoing ones) from an ssh
>> session I had over the weekend, but I logged out cleanly (I thought).  I
>> have heard of rootkits that hide their tracks from ps and such, but over
>> ssh?
>
> Probably someone scanned you, and then left their end of the connection
>hanging.

It could be something more also, compare the md5sum of the netstat binary with a known safe version, perhaps on another machine with the same version installed and same upgrades, or get a copy of a clean netstat and run that to make sure.

Vince Hillier
vdh@plutonium.homeunix.com
http://plutonium.homeunix.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 (Build 349) Beta

iQA/AwUBPdnaw0BtW3tWqkVxEQK3cQCeKLU4XF25YsOgSmXjVfD11FU4DiwAn096
DEnHXoI9BeBzpzJAx/Aht2WW
=X7+T
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Odd iptstate entry
  - From: Alain Tesio <alain@onesite.org>

References:
- Re: Odd iptstate entry
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: Re: Re[2]: VPN question
Next by Date: Re: Re[2]: VPN question
Previous by thread: Re: Odd iptstate entry
Next by thread: Re: Odd iptstate entry
Index(es):
- Date
- Thread