Re: weird tcpdump log

From: Ian Jones (ian@dsl081-056-052.sfo1.dsl.speakeasy.net)
Date: 12/11/01


From: Ian Jones <ian@dsl081-056-052.sfo1.dsl.speakeasy.net>
Date: Tue, 11 Dec 2001 06:40:25 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

magikh0e@penguin-security.com writes:

> Can anyone tell what was happening from these logs? I also found out
> that this sapient host was recently compromised these logs look like
> they was coming from me or was the ftp host scanning mine?
>
> Thanks ahead.
> 23:11:00.113688 ftp.sapient.com.1649 > myhost.ssh: . 8860:10308(1448)
> ack 314 win 32120 <nop,nop,timestamp 841409708 44945127> (DF)
> 23:11:00.115185 ftp.sapient.com.1649 > myhost.ssh: . 10308:11756(1448)
> ack 314 win 32120 <nop,nop,timestamp 841409708 44945127> (DF)
> 23:11:00.115263 myhost.ssh > ftp.sapient.com.1649: . ack 11756 win 30408
> <nop,nop,timestamp 44945132 841409708> (DF)

You have an actual established ssh connection here between sapien and
myhost. Have you verified that myhost is not running a vulnerable
version of ssh?

You can see by the TCP sequence numbers that there is data passing
between the two hosts.

Did you by any chance capture the session or was it you making an ssh
connection from sapien to myhost?

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8FhrYwBVKl/Nci0oRAn3WAJ90CQU8LtsQSpPLLpwOu0tMUVg2JgCg5Rvp
faSGVdKWxh1zT/LEcr+cc8A=
=8Rgn
-----END PGP SIGNATURE-----