Re: weird tcpdump log

From: Ian Jones (ian@dsl081-056-052.sfo1.dsl.speakeasy.net)
Date: 12/11/01


From: Ian Jones <ian@dsl081-056-052.sfo1.dsl.speakeasy.net>
Date: Tue, 11 Dec 2001 06:40:25 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

magikh0e@penguin-security.com writes:

> Can anyone tell what was happening from these logs? I also found out
> that this sapient host was recently compromised these logs look like
> they was coming from me or was the ftp host scanning mine?
>
> Thanks ahead.
> 23:11:00.113688 ftp.sapient.com.1649 > myhost.ssh: . 8860:10308(1448)
> ack 314 win 32120 <nop,nop,timestamp 841409708 44945127> (DF)
> 23:11:00.115185 ftp.sapient.com.1649 > myhost.ssh: . 10308:11756(1448)
> ack 314 win 32120 <nop,nop,timestamp 841409708 44945127> (DF)
> 23:11:00.115263 myhost.ssh > ftp.sapient.com.1649: . ack 11756 win 30408
> <nop,nop,timestamp 44945132 841409708> (DF)

You have an actual established ssh connection here between sapien and
myhost. Have you verified that myhost is not running a vulnerable
version of ssh?

You can see by the TCP sequence numbers that there is data passing
between the two hosts.

Did you by any chance capture the session or was it you making an ssh
connection from sapien to myhost?

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8FhrYwBVKl/Nci0oRAn3WAJ90CQU8LtsQSpPLLpwOu0tMUVg2JgCg5Rvp
faSGVdKWxh1zT/LEcr+cc8A=
=8Rgn
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: weird tcpdump log
    ... >>> that this sapient host was recently compromised these logs look like ... Have you verified that myhost is not running a vulnerable ... >> version of ssh? ...
    (comp.os.linux.security)
  • Re: weird tcpdump log
    ... >> that this sapient host was recently compromised these logs look like ... Have you verified that myhost is not running a vulnerable ... > version of ssh? ...
    (comp.os.linux.security)
  • Nimda mostly infects /8-locally.
    ... Subject: Nimda mostly infects /8-locally. ... addresses encountered in the logs): ... This means, in particular, that the probability for Nimda to attack ... a host in the same /8 portion of the IP address space is ...
    (Incidents)
  • Re[2]: Spoofed RFC1918 Network Source Addresses...
    ... Just for clarification, the host: ... exists outside the firewall and the 10.x.x.x network addresses exist ... which given my theory (of return packets) does not make much ... RF> Logs would be useful, ...
    (Incidents)
  • Re: Dynamic Update Policy.....
    ... com>, Gary Greene writes: ... I'm getting errors in the logs on the system that the host is being ... however the forward zone does not. ...
    (comp.protocols.dns.bind)