On Fri, 25 Jun 2010 03:30:52 -0500 Stan Hoeppner <s...@hardwarefreak.com> wrote:
> Marc Shapiro put forth on 6/24/2010 9:47 AM: > > > I am getting lines > > like: > > tcp 0 1 192.168.1.2:49526 59.120.141.34:22 > > SYN_SENT 9853/sshd > > tcp 0 0 192.168.1.2:35055 59.120.163.53:22 > > ESTABLISHED 9995/sshd > > It appears someone has cracked/pwn3d your Debian host. That's an _outbound_ > SSH connection. 59.120.163.53 is HINET network space in Taiwan. > > You need to pull the cable on the machine, or firewall out all SSH connections > but _yours_ and clean up the box. Given that they're able to make _outbound_ > ssh connections from your host, they likely have root access already and/or > have installed a rootkit. Why is outbound ssh access indicative of root access? Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100625085532.080455d1.cele...@gmail.com
