[Cialug] Rogue SSH Connections

Josh More jmore at starmind.org
Mon Oct 7 18:15:04 CDT 2013 

If there is a process running on the Linux box that's kicking off the SSH,
it is either legit or not.  A legit process will most likely come from cron
or another running service. Non-legit processes can be practically
anything.  I propose the following:

1) Reboot the system off a LiveCD. Compile, update and run a clamscan
across the whole drive. See if anything comes up.

2) Run chkrootkit and rkhunter against the system, just to be sure.

3) If #1 and #2 pass, bring the system back up but step through the boot
process.  If the connections are coming once an hour or so, turn on one
service per hour.  Once you know which service is doing it, you can dig
deeper.

Alternatively...

An SSH connection is either legit or not. If it's legit, it's likely using
`which ssh`.  Rename ssh to ssh-orig and write an ssh wrapper that calls
it.  Have it dump env, $!, $$, $0, $1, $2, $3, $4 (etc) to
/tmp/ssh-debug-$date.log.  If these files appear when you ssh out, but
don't appear when you see the activity, something hinky is going on.  Steps
1 and 2 should catch the most common hinky, but if it doesn't, you might
need to write an iptables trigger that captures a process list when it sees
an outbound ssh connection, or something similarly tricky.

-Josh









On Mon, Oct 7, 2013 at 3:40 PM, L. V. Lammert <lvl at omnitec.net> wrote:

> On Mon, 7 Oct 2013, Barry Von Ahsen wrote:
>
> > lsof needs -i4 to show internet "files" - does
> >
> Just had another one opened, .. however nothing showed with the lsof -i
> :newport! Bummer!
>
> Just saw a packet from the Linux box:
>
> 15:38:16.178325 IP marvel.omnitec.net.60323 > apollo.omnitec.net.ssh:
> Flags [P.], seq 2576624798:2576624830, ack 3719789715, win 164, options
> [nop,nop,TS val 406592169 ecr 4170988026], length 32
>
> Nothing in netstat, .. nothing is lsof, .. I guess whatever process is
> generating the traffic is not maintaining an open socket? That would
> explain the operation, but, unfortunately, no help with finding it.
>
>         Lee
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>

More information about the Cialug mailing list