Have I been owned? (caught outgoing src port 22)

From:	Jeffrey Goldberg <jeffrey at goldmark dot org>
To:	Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Have I been owned? (caught outgoing src port 22)
Date:	Fri, 28 Jan 2005 07:53:17 -0800

This probably isn't the right list for this, but in the worst case, I 
can hope for useful pointers to where to search.

I have a handful of m0n0wall log entries (8 over the course of 90 
seconds) that look like this

ipmon[82]: 03:26:52.682133 sis0 @0:31 b 192.168.2.7,22 ->
    208.179.71.132,46422 PR tcp len 20 60 -AS IN

All 8 instances are the same (except for the time).  Same source, 
destinations and ports.

192.168.2.7 is not publicly accessible (behind NAT with no pineholes or 
the like to it).  It's running Suse 9.0.  And it is running a number of 
services for a chunk of my local network.

No obvious cron jobs were running at the time.  The fact that this 
comes FROM a privileged port is particularly worrying.  That it is port 
22 makes me think that something is trying to slip past sloppy firewall 
rules.

I've googled a bit to see if there is discussion of something like 
this, but didn't find anything.

-j

-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/