[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 Cc:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)
 Date:  Fri, 28 Jan 2005 13:28:31 -0500
Definately looks like someone is using port 22 to leave that box and go to 
bluemidnight.

Any process you dont recognize or what does an netstat say? Anything out of 
the ordinary?

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Jeffrey Goldberg <jeffrey at goldmark dot org>:

> This probably isn't the right list for this, but in the worst case, I 
> can hope for useful pointers to where to search.
> 
> I have a handful of m0n0wall log entries (8 over the course of 90 
> seconds) that look like this
> 
> ipmon[82]: 03:26:52.682133 sis0 @0:31 b 192.168.2.7,22 ->
>     208.179.71.132,46422 PR tcp len 20 60 -AS IN
> 
> All 8 instances are the same (except for the time).  Same source, 
> destinations and ports.
> 
> 192.168.2.7 is not publicly accessible (behind NAT with no pineholes or 
> the like to it).  It's running Suse 9.0.  And it is running a number of 
> services for a chunk of my local network.
> 
> No obvious cron jobs were running at the time.  The fact that this 
> comes FROM a privileged port is particularly worrying.  That it is port 
> 22 makes me think that something is trying to slip past sloppy firewall 
> rules.
> 
> I've googled a bit to see if there is discussion of something like 
> this, but didn't find anything.
> 
> -j
> 
> -- 
> Jeffrey Goldberg                        http://www.goldmark.org/jeff/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>