Security Incidents mailing list archives

ssh wierdness

From: spiff () BWAY NET (spiff)
Date: Sat, 26 Feb 2000 05:38:16 -0500


Hello All

This is my first posting to the list, so if it's off topic please go
lightly on me.

Running lsof on a suspect OpenBSD 2.6 i386 box, patched to the latest (jan
31) patchlevel, I see this:

# /usr/local/sbin/lsof -i | grep ssh
sshd       5249     root    3u  IPv4 0xe0da5b00      0t0  TCP host:ssh
(LISTEN)

sshd      19463     root    5u  IPv4                 0t0  TCP can't read
inpcb at 0x00000000

sshd      32487     root    5u  IPv4                 0t0  TCP can't read
inpcb at 0x00000000

What is that? I suspect they are ssh connections with the other endpoint
hidden somehow. How would someone do this? What would I look for?

Current thread:

Re: @home: Is *anyone* really home there???, (continued)
- Re: @home: Is *anyone* really home there??? The Undernet Bonk (Feb 24)
- Received message from Russian hackers David Meissner (Feb 25)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
  - Re: @home: Is *anyone* really home there??? Wozz (Feb 25)
    - Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 28)
    - Re: @home: Is *anyone* really home there??? Wozz (Feb 28)
    - Re: @home: Is *anyone* really home there??? David Kennedy CISSP (Feb 28)
    - TIS and fingerprinting Dino Amato (Feb 28)
    - Re: @home: Is *anyone* really home there??? Wozz (Feb 28)
  - ssh wierdness spiff (Feb 26)
    - Re: ssh wierdness Markus Friedl (Feb 28)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
- Re: @home: Is *anyone* really home there??? Flynn, Harold M. III (Feb 28)