From owner-freebsd-security@freebsd.org Wed Jul 1 04:10:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9543E9912C1 for ; Wed, 1 Jul 2015 04:10:31 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail-ie0-f173.google.com (mail-ie0-f173.google.com [209.85.223.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6A48E2EFB for ; Wed, 1 Jul 2015 04:10:30 +0000 (UTC) (envelope-from kalin@el.net) Received: by iecuq6 with SMTP id uq6so26576770iec.2 for ; Tue, 30 Jun 2015 21:10:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=RPuCZivrad42Vby+dOJRqBdPNeiva8hNwJYf3jFbzCU=; b=c/Q6U5YaWiap40F16Y+qezJ7OQ3WH3rjoWZ1fm0kxYBZAliiKH/ThlTD9HTlqiS1gp e80csNYbu+S99cBfzG2+qJq2QgBWFSWg+/VM9LQ0CUA6i8I95jE6xwQXOUAt+Vw48Zfp V7KljzzwBUjkri9JrRaKYkriwyynIEiCKD+N0DUBL4oZVHetY3qgL0KkzFWZVJ5r3PYr 7rdxfTFRdk7M+0PbLKmFlW/9AdjL91vnHUEbTqGJFtimH7iIfAHb3JueGiHvm6xUb4Of sSmYQ/2ncEq8H4KN9F1eatFt8zTuLVeYO1qcWLnGOoX4yA95JiW1M2TWKI3UW984Diwc /0zw== X-Gm-Message-State: ALoCoQkdOqLaLpIE8MV9PjYo8dlPl9h4ykq0+Lof0WJoHOLBG9Ct5+qVNI05P+nl8pxkZ8iZzDW7 MIME-Version: 1.0 X-Received: by 10.50.64.147 with SMTP id o19mr1664405igs.33.1435723830029; Tue, 30 Jun 2015 21:10:30 -0700 (PDT) Received: by 10.36.44.203 with HTTP; Tue, 30 Jun 2015 21:10:29 -0700 (PDT) In-Reply-To: References: Date: Wed, 1 Jul 2015 00:10:29 -0400 Message-ID: Subject: Re: ssh in netstat From: el kalin To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 04:10:31 -0000 nevermind=E2=80=A6. i got it=E2=80=A6. thanks anyway=E2=80=A6 On Wed, Jul 1, 2015 at 12:03 AM, el kalin wrote: > > hi all=E2=80=A6 looking at output from netstat i see this: > > tcp4 0 0 server.name..ssh 218.17.160.22.9225 ESTABLISHE= D > tcp4 0 0 server.name..http baiduspider-220-.18248 FIN_WAIT_2 > tcp4 0 0 server.name..ssh cpe-74-73-236-43.51418 ESTABLISHE= D > tcp4 0 0 server.name..ssh cpe-74-73-236-43.51326 ESTABLISHE= D > tcp4 0 48 server.name..ssh cpe-74-73-236-43.51160 ESTABLISHE= D > > > cpe-74-73-236-43 is me. 218.17.160.22 is some number in that appears to > be in china. > > this is from who: > > myuser p0 cpe-74-73-236-43 5:34PM - traceroute > 218.17.160.22 > myuser p1 cpe-74-73-236-43 5:50PM - w > myuser p2 cpe-74-73-236-43 5:57PM 3:36 -sh (sh) > > how is it that 218.17.160.22 has an established ssh connection and i > can't see it with who? how can i figure out what user is that? there is n= ot > supposed be anybody logging ssh form china to this machine... > > thanks=E2=80=A6 > >