tcp 22 > tcp 22

From: Tarmo Renter (tarmo_at_momentor.ee)
Date: 07/01/03

  • Next message: Michael Collette: "Re: Fw: VPN setup problem - proxy arp I think"
    To: freebsd-security@freebsd.org
    Date: Tue, 1 Jul 2003 14:32:54 +0300
    
    

    Hi,

    I spotted today following line at my FreeBSD 4.6.2-RELEASE IPFIREWALL log:

    Jul 1 13:34:35 fbsd /kernel: ipfw: 1400 Accept TCP xxxxxx:22 yyyyy:22 in via
    ed1

    where xxxxxx is the attacker's IP and yyyyy is my box.

    But in sshd log, there are no traces left behind by this connection.
    Normally, there is "Did not receive identification string from xxx" etc, when
    somebody tries to scan SSH port.

    Also, as you can see, the connection is made from port 22 to port 22, which is
    odd.

    Is this somekind of SYN packet trick and how come is no I/O to sshd made?

    sshd -v shows:
    sshd version OpenSSH_3.4p1 FreeBSD-20020702

    ---
    Regards,
    Tarmo Renter
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Michael Collette: "Re: Fw: VPN setup problem - proxy arp I think"