[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssh wierdness



I'm sorry I should have stated that the output in my original post was
edited to show only the 'weird' connections and the parent sshd. As to
fstat, well frankly I didn't know about that. Thanks. 

The issue at hand is hard to replicate since the suspected connections
have stopped due to new filtering rules in place. There is now no question
that there was misuse of the computing facilities, and I can't say any
more.

The system is using lsof 4.45, not the latest 4.48,  which I will
reccommend upgrading to.

thanks for your reply.

john

On Mon, 28 Feb 2000, Markus Friedl wrote:

> are you sure that you are not using an old lsof binary?
> does fstat give the 'correct' information?
> 
> On Sat, Feb 26, 2000 at 05:38:16AM -0500, spiff wrote:
> > Hello All
> > 
> > This is my first posting to the list, so if it's off topic please go
> > lightly on me.
> > 
> > Running lsof on a suspect OpenBSD 2.6 i386 box, patched to the latest (jan
> > 31) patchlevel, I see this:
> > 
> > # /usr/local/sbin/lsof -i | grep ssh
> > sshd       5249     root    3u  IPv4 0xe0da5b00      0t0  TCP host:ssh
> > (LISTEN)
> > 
> > sshd      19463     root    5u  IPv4                 0t0  TCP can't read
> > inpcb at 0x00000000
> > 
> > sshd      32487     root    5u  IPv4                 0t0  TCP can't read
> > inpcb at 0x00000000
> > 
> > What is that? I suspect they are ssh connections with the other endpoint
> > hidden somehow. How would someone do this? What would I look for?
>