netstat suspicious ssh sockets

Question

When i run netstat -t on my server, I get the following among others:

-sshd 14369 root 3u IPv4 1317773 0t0 TCP localhost:ssh->82.77.64.139:62334 (ESTABLISHED) -sshd 14494 root 3u IPv4 1319053 0t0 TCP localhost:ssh->218.87.109.151:22536 (ESTABLISHED) -sshd 14495 sshd 3u IPv4 1319053 0t0 TCP localhost:ssh->218.87.109.151:22536 (ESTABLISHED)

When typing w no one appears, but me from 82.77.64.139.

Is this a rootkit?

Try with `netstat -nlpt` to also list the processes. Then you can also run `netstat -ltpe` to see the associated users. — Paul T., Jul 18 '17 at 14:52

score 0 · Answer 1 · answered Jul 19 '17 at 07:41

0

Ok, so it seems that if you telnet to the specified port, and run netstat, the connection is ESTABLISHED. Didn't knew that. Probably someone scanned the ports, no backdoor present thankfully :)

answered Jul 19 '17 at 07:41

catalin

946
6
14
31

netstat suspicious ssh sockets

1 Answers1