0

when i did some monitoring network activity of my server, using netstat -na, in a sec i noticed next, for me strange line:

first it was:

tcp        0      0 XXX.XXX.XXX.XXX:22        YYY.YYY.YYY.YYY:48085       SYN_RECV

and few seconds after i noticed:

udp        0      0 XXX.XXX.XXX.XXX:34151      YYY.YYY.YYY.YYY:33486       ESTABLISHED
udp        0      0 XXX.XXX.XXX.XXX:34152      YYY.YYY.YYY.YYY:33487       ESTABLISHED
udp        0      0 XXX.XXX.XXX.XXX:34153      YYY.YYY.YYY.YYY:33488       ESTABLISHED
udp        0      0 XXX.XXX.XXX.XXX:34157      YYY.YYY.YYY.YYY:33492       ESTABLISHED
udp        0      0 XXX.XXX.XXX.XXX:34158      YYY.YYY.YYY.YYY:33493       ESTABLISHED
udp        0      0 XXX.XXX.XXX.XXX:34160      YYY.YYY.YYY.YYY:33494       ESTABLISHED

is this someone was trying to connect using ssh? what was second part, when connection is established?

another strange thing is that all of my ports 1024-65535 are closed with iptables.

please help!

user48058
  • 863
  • 3
  • 12
  • 20

2 Answers2

1

The second set is UDP, so unrelated to SSH. The ports suggest traceroute to me, which typically starts at port 33434 per the man page. Did you traceroute his IP after finding the connection?

Slartibartfast
  • 3,295
  • 18
  • 16
  • yes, as i said foreign ip address i did found listed on http://listserv.vt.edu/cgi-bin/wa?A2=ind1006&L=techsupport&F=&S=&P=33444 – user48058 Jul 11 '10 at 05:35
  • If you did a traceroute before or at the same time you did netstat, it is likely the source of the second section of netstat output. – Slartibartfast Jul 11 '10 at 05:55
0

The first is someone trying to connect to your machine via SSH.

Without knowing which programs are on your end of the connection, it's impossible to completely know what the second set is. They're outbound connections, since you say that inbound connections have been denied via iptables.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
  • but in a second part, there are some established connections. ip is same as in first part. how can i know if there is some application that made outbound connections? i have next two lines in my iptabels config file, /sbin/iptables -A INPUT -p tcp --dport 1024:65535 -j DROP and /sbin/iptables -A OUTPUT -p tcp --dport 1024:65535 -j DROP... – user48058 Jul 11 '10 at 04:52
  • The other bit about the second set is that they are UDP, so they are not really connections in the first place. Not sure why *netstat* reports them as `ESTABLISHED` (often the state column is just left empty/blank). My guess is that that second set is just reporting recent incoming UDP activity (activity that was probably blocked by the iptables configuration). – Chris Johnsen Jul 11 '10 at 04:54
  • you sure it was blocked? i just noticed that in iptables i defined tcp not udp. it showed in netstat in max 2-3 seconds, than disappeared... also, foreign ip address i just found on next list: http://listserv.vt.edu/cgi-bin/wa?A2=ind1006&L=techsupport&F=&S=&P=33444 – user48058 Jul 11 '10 at 04:59
  • @user48058: Only you can assess whether it was actually blocked. I was just going by what you originally said. – Chris Johnsen Jul 11 '10 at 05:05
  • could it be flooding from my server? – user48058 Jul 11 '10 at 05:17
  • also, i have to mention that i did not found that ip address in /var/log/secure files... – user48058 Jul 11 '10 at 05:38