[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 Cc:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Have I been owned? (caught outgoing src port 22)
 Date:  Fri, 28 Jan 2005 14:56:08 -0500
On Fri, 28 Jan 2005 07:53:17 -0800, Jeffrey Goldberg
<jeffrey at goldmark dot org> wrote:
> This probably isn't the right list for this, but in the worst case, I
> can hope for useful pointers to where to search.

I'd recommend the excellent incidents list at Security Focus. 

> I have a handful of m0n0wall log entries (8 over the course of 90
> seconds) that look like this
> ipmon[82]: 03:26:52.682133 sis0 @0:31 b,22 ->
>,46422 PR tcp len 20 60 -AS IN
> All 8 instances are the same (except for the time).  Same source,
> destinations and ports.

I'd drop all outbound traffic and see what it's trying to get to.  As
somebody else said, these are getting dropped because they're
duplicate packets in the session.  My first reaction, since this isn't
a publicly accessible server, is that it's something other than been
owned, though of course it's possible.  Treat it as if it were at this
point, to be on the safe side.  I wouldn't trust any of the utilities
on the system (ps, ls, top, netstat, etc. etc.) since you might be
rootkitted.  As a decent test, I'd run chkrootkit after installing it
from a trusted binary source.

If you can determine what it's trying to get out to, you should be
able to then go back to the box and determine what app is trying to do
it, and then tell from there what's going on.