Security Incidents mailing list archives

Re: ssh wierdness

From: markus () OPENBSD ORG (Markus Friedl)
Date: Mon, 28 Feb 2000 14:20:51 +0100


are you sure that you are not using an old lsof binary?
does fstat give the 'correct' information?

On Sat, Feb 26, 2000 at 05:38:16AM -0500, spiff wrote:

Hello All

This is my first posting to the list, so if it's off topic please go
lightly on me.

Running lsof on a suspect OpenBSD 2.6 i386 box, patched to the latest (jan
31) patchlevel, I see this:

# /usr/local/sbin/lsof -i | grep ssh
sshd       5249     root    3u  IPv4 0xe0da5b00      0t0  TCP host:ssh
(LISTEN)

sshd      19463     root    5u  IPv4                 0t0  TCP can't read
inpcb at 0x00000000

sshd      32487     root    5u  IPv4                 0t0  TCP can't read
inpcb at 0x00000000

What is that? I suspect they are ssh connections with the other endpoint
hidden somehow. How would someone do this? What would I look for?

Current thread:

Received message from Russian hackers, (continued)
- Received message from Russian hackers David Meissner (Feb 25)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
  - Re: @home: Is *anyone* really home there??? Wozz (Feb 25)
    - Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 28)
    - Re: @home: Is *anyone* really home there??? Wozz (Feb 28)
    - Re: @home: Is *anyone* really home there??? David Kennedy CISSP (Feb 28)
    - TIS and fingerprinting Dino Amato (Feb 28)
    - Re: @home: Is *anyone* really home there??? Wozz (Feb 28)
  - ssh wierdness spiff (Feb 26)
    - Re: ssh wierdness Markus Friedl (Feb 28)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
- Re: @home: Is *anyone* really home there??? Flynn, Harold M. III (Feb 28)