|
||||||||||
Definately looks like someone is using port 22 to leave that box and go to bluemidnight. Any process you dont recognize or what does an netstat say? Anything out of the ordinary? Chet Harvey Pitbull Technologies <http://www.pittech.com/> Protecting your Digital Assets 703.407.7311 Quoting Jeffrey Goldberg <jeffrey at goldmark dot org>: > This probably isn't the right list for this, but in the worst case, I > can hope for useful pointers to where to search. > > I have a handful of m0n0wall log entries (8 over the course of 90 > seconds) that look like this > > ipmon[82]: 03:26:52.682133 sis0 @0:31 b 192.168.2.7,22 -> > 208.179.71.132,46422 PR tcp len 20 60 -AS IN > > All 8 instances are the same (except for the time). Same source, > destinations and ports. > > 192.168.2.7 is not publicly accessible (behind NAT with no pineholes or > the like to it). It's running Suse 9.0. And it is running a number of > services for a chunk of my local network. > > No obvious cron jobs were running at the time. The fact that this > comes FROM a privileged port is particularly worrying. That it is port > 22 makes me think that something is trying to slip past sloppy firewall > rules. > > I've googled a bit to see if there is discussion of something like > this, but didn't find anything. > > -j > > -- > Jeffrey Goldberg http://www.goldmark.org/jeff/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |