ssh ESTABILISHED to unknown ip

recupero · n00b Joined: 25 Jun 2006 Posts: 26

Upon noticing some activity on eth0, I discover some unwanted(?) traffic.

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 720 192.168.1.9:ssh adsl89-120-218-10:22189 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 777 @/org/kernel/udev/udevd
unix 3 [ ] STREAM CONNECTED 500774
unix 3 [ ] STREAM CONNECTED 500773
unix 3 [ ] DGRAM 780
unix 3 [ ] DGRAM 779

Where 192.168.1.9 is my host, to which ssh is open.
I cannot find any trace of this connection on the /var/log/wtmp

What is this connection?

NeddySeagoon · Posted: Fri Jan 01, 2010 9:50 pm Post subject:

recupero,

Check your /var/log/sshd logs to see if an uninvited guest got in via ssh.

Look at all your other logs too. 89-120-218-10 is in Romania, so it looks bad.
If you have been compromised, you can't salvage anything from the install. You need to find out how they got in and fix it, and reinstall.

Try chkrootkit and rootkit hunter. Your guests need not have got root to make use of your system though.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

eccerr0r · Posted: Fri Jan 01, 2010 11:12 pm Post subject:

Of course it's possible something nefarious going on. While it may be true that someone may have broken in and actually is actively using your computer, it's somewhat more likely that someone's just connected to your SSH port and just sitting there trying combinations of users/passwords to try to get in, but unsuccessful. "Established" TCP connection does not necessarily mean "Authenticated" (i.e. logged in) session.

While this latter scenario "may" seem benign, it's still something to think about. However, as long as you have good passwords or are using PKI you should be fine.

I think pretty much all linux boxes around the world with ssh port at 22 and open to the world are being hammered by random ssh requests, trying to find insecure boxes... You might just be attacked by that and caught it in the act. Just hope it was an unsuccessful attempt.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

d2_racing · Posted: Sat Jan 02, 2010 5:34 am Post subject:

I suggest that you install iptables on your box my friend and double check your log.

Maybe it's only a dictionnary attack.

You can counter that with that kind of iptables lines :

cach0rr0 · Posted: Sat Jan 02, 2010 7:50 am Post subject:

It's really almost getting to the point where ip-based blockages are pointless. Rather, things like fail2ban and whatnot...I no longer get any use out of it.

And key-based auth is a no-go for me.

ANYWAY, as someone else mentioned this is just an established connection, not an authenticated session. It could be a connection attempt, it could be one of the zillion random probes, key is to look for failed authentication attempts.

NB: scenarios like this have been all too common

recupero · n00b Joined: 25 Jun 2006 Posts: 26

Thanks,
would you kindly tell me what to configure in order to produce a
/var/log/auth.log or a /var/log/sshd,
since upon a stardard configuration I just have the binary wtmp.

NeddySeagoon · Posted: Sat Jan 02, 2010 2:21 pm Post subject:

recupero,

A logging daemon but a logger is a part of the standard install. I use metalog, as it rotates logs for you and the default settings seem to be pretty good.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

recupero · n00b Joined: 25 Jun 2006 Posts: 26

9. Installing Necessary System Tools
....yep sometimes we dont read what we should read.
Thanks!

d2_racing · Posted: Sat Jan 02, 2010 9:55 pm Post subject:

No problem, we have a lot to read the first time that we install a Gentoo box