This probably isn't the right list for this, but in the worst case, I
can hope for useful pointers to where to search.
I have a handful of m0n0wall log entries (8 over the course of 90
seconds) that look like this
ipmon: 03:26:52.682133 sis0 @0:31 b 192.168.2.7,22 ->
220.127.116.11,46422 PR tcp len 20 60 -AS IN
All 8 instances are the same (except for the time). Same source,
destinations and ports.
192.168.2.7 is not publicly accessible (behind NAT with no pineholes or
the like to it). It's running Suse 9.0. And it is running a number of
services for a chunk of my local network.
No obvious cron jobs were running at the time. The fact that this
comes FROM a privileged port is particularly worrying. That it is port
22 makes me think that something is trying to slip past sloppy firewall
I've googled a bit to see if there is discussion of something like
this, but didn't find anything.
Jeffrey Goldberg http://www.goldmark.org/jeff/