On Fri, Jun 25, 2010 at 08:55:32AM -0400, Celejar wrote: > On Fri, 25 Jun 2010 03:30:52 -0500 > Stan Hoeppner <stan@hardwarefreak.com> wrote: > > > Marc Shapiro put forth on 6/24/2010 9:47 AM: > > > > > I am getting lines > > > like: > > > tcp 0 1 192.168.1.2:49526 59.120.141.34:22 SYN_SENT 9853/sshd > > > tcp 0 0 192.168.1.2:35055 59.120.163.53:22 ESTABLISHED 9995/sshd > > > > It appears someone has cracked/pwn3d your Debian host. That's an _outbound_ > > SSH connection. 59.120.163.53 is HINET network space in Taiwan. > > Why is outbound ssh access indicative of root access? The thing that confuses me here is that these look like outbound connections, from a local high port to a remote :22, but then why are they ssh*d* processes rather than ssh? Some sort of port-forwarding? Cheers, Tom -- "...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_
Attachment:
signature.asc
Description: Digital signature