| ErrorBound |
03-11-2007 01:32 PM |
Unauthorized SSH connections
Today I was sitting around and by chance happened to notice that my machine had traffic of ~5 kB/s (up and down), but I was not doing anything to initiate this. So I checked the network connections:
Code:
njl@dvorak:~$ netstat -tup
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 dvorak.local:36785 by2msg1161905.phx.:msnp ESTABLISHED14160/wish
tcp 0 0 dvorak.local:39103 modemcable042.219:21197 ESTABLISHED24287/skype
tcp 0 0 dvorak.local:39776 by1msg3145605.phx.:msnp ESTABLISHED14160/wish
tcp 0 0 dvorak.local:50564 py-in-f18.google.co:www ESTABLISHED29110/firefox-bin
tcp 0 0 dvorak.local:38153 py-in-f147.google.c:www ESTABLISHED29110/firefox-bin
tcp 0 0 dvorak.local:38118 py-in-f147.google.c:www ESTABLISHED29110/firefox-bin
tcp 0 0 dvorak.local:38415 eh-in-f99.google.co:www ESTABLISHED29110/firefox-bin
tcp 0 0 dvorak.local:37486 207.61.136.27:www ESTABLISHED29110/firefox-bin
tcp 0 0 dvorak.local:37485 207.61.136.27:www ESTABLISHED29110/firefox-bin
tcp6 0 0 ::ffff:192.168.2.30:ssh appsrv2.masternur:56662 TIME_WAIT -
tcp6 0 0 ::ffff:192.168.2.30:ssh appsrv2.masternur:35433 TIME_WAIT -
tcp6 0 0 ::ffff:192.168.2.30:ssh appsrv2.masternur:58881 TIME_WAIT -
tcp6 0 704 ::ffff:192.168.2.30:ssh appsrv2.masternur:42006 ESTABLISHED-
tcp6 0 0 ::ffff:192.168.2.30:ssh appsrv2.masternur:33744 TIME_WAIT -
tcp6 0 0 ::ffff:192.168.2.30:ssh appsrv2.masternur:57248 TIME_WAIT -
And there I found some mysterious SSH connections to appsrv2.masternursery.com on various ports. I then killed the SSH processes and the network traffic stopped.
What is going on?
(Debian etch, linux 2.6.18, KDE, etc etc) |
