Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)

From:	Jeffrey Goldberg <jeffrey at goldmark dot org>
To:	"Andrew M. Gehring" <agehring at netze dot net>
Cc:	Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)
Date:	Fri, 28 Jan 2005 09:00:07 -0800

[Andrew, I'm cc'ing my response back to the list.]

On Jan 28, 2005, at 8:13 AM, Andrew M. Gehring wrote:

> Do you (or someone on your network( have anything to do with
> http://www.bluemidnight.com ?

Not to my knowledge, but I think I'll start logging all traffic to and 
from there.  There are only two people who should have log on access to 
that machine.  I'm one and the other is being bcc'ed on this.

> If not, I would say somebody has access to the .7 system on your 
> network,
> and is SSHing to bluemidnight...

Note that the SOURCE port was 22, not the destination port.  So it was 
not going to some standard SSH service.  However, using 22 may have 
been an effort to mislead and confuse people/systems reading logs.  
Also, to send something with a source port of 22 requires root 
privileges.

Maybe I am just misreading things, and this is something harmless.  I'm 
hoping that someone will tell me that.

-j

-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/