[plug] was I probed or ignorantly paranoid?

Gavin Chester gavinchester1 at hotmail.com
Wed Mar 30 01:28:40 WST 2005 

I'm not sure whether I was probed or whether I saw some normal traffic
to my machine.  Either way it seemed strange to have many repeat ssh
requests when no one should be ssh-ing into my PC.  Maybe you guys could
shed some light for me? I'm a newbie to many Linux concepts - especially
security :-0.  I run a fairly stock-standard FC3 install with as few
services active as possible and a generic (read as un-tweaked) firewall
in place.  I was watching network activity on my modem and checked out
what it could be with ethereal to capture the packets.  Here is a small
sample of the trace where ssh was repeated over and over with attempts
to exchange keys:  

###############################
  47502 32040.681196    jarrah-51.eftel.com   61.103.229.204
SSHv2    Server Protocol: SSH-1.99-OpenSSH_3.9p1
  47503 32041.149241    61.103.229.204        jarrah-51.eftel.com
SSHv2    Client Protocol: SSH-2.0-libssh-0.1\r
  47504 32041.149570    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=24 Ack=21 Win=5792 Len=0 TSV=175579911
TSER=81751857
  47505 32041.153191    jarrah-51.eftel.com   61.103.229.204
SSHv2    Server: Key Exchange Init
  47506 32041.154988    61.103.229.204        jarrah-51.eftel.com   TCP
56327 > ssh [ACK] Seq=1 Ack=24 Win=5840 Len=0 TSV=81751857
TSER=175579443
  47507 32041.155135    jarrah-51.eftel.com   61.103.229.204        TCP
[TCP Dup ACK 47504#1] ssh > 56327 [ACK] Seq=664 Ack=21 Win=5792 Len=0
TSV=175579917 TSER=81751857
  47508 32041.716149    61.103.229.204        jarrah-51.eftel.com
SSHv2    Client: Key Exchange Init
  47509 32041.755968    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=664 Ack=173 Win=5792 Len=0 TSV=175580518
TSER=81751915
  47510 32042.253834    61.103.229.204        jarrah-51.eftel.com
SSHv2    Client: Diffie-Hellman Key Exchange Init
  47511 32042.253975    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=664 Ack=317 Win=5792 Len=0 TSV=175581016
TSER=81751964
  47512 32042.304556    jarrah-51.eftel.com   61.103.229.204
SSHv2    Server: New Keys
  47513 32042.933718    61.103.229.204        jarrah-51.eftel.com
SSHv2    Client: New Keys
  47514 32042.934044    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=1128 Ack=333 Win=5792 Len=0 TSV=175581696
TSER=81752035
  47515 32043.406662    61.103.229.204        jarrah-51.eftel.com
SSHv2    Client: Unknown (244)
  47516 32043.406972    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=1128 Ack=385 Win=5792 Len=0 TSV=175582169
TSER=81752083
  47517 32043.407284    jarrah-51.eftel.com   61.103.229.204
SSHv2    Server: Unknown (192)
  47518 32043.936563    61.103.229.204        jarrah-51.eftel.com
SSHv2    Encrypted request packet len=84
  47519 32043.976628    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=1180 Ack=469 Win=5792 Len=0 TSV=175582739
TSER=81752134
  47520 32046.334601    jarrah-51.eftel.com   61.103.229.204
SSHv2    Encrypted response packet len=84
  47521 32046.855120    61.103.229.204        jarrah-51.eftel.com
SSHv2    Encrypted request packet len=52
  47522 32046.855261    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [ACK] Seq=1264 Ack=521 Win=5792 Len=0 TSV=175585618
TSER=81752425
  47523 32046.857651    jarrah-51.eftel.com   61.103.229.204        TCP
ssh > 56327 [FIN, ACK] Seq=1264 Ack=521 Win=5792 Len=0 TSV=175585620
TSER=81752425
###############################

It went on like this over and over for about 10mins.  FYI: My ISP is
eftel.com and I did a whois on the the other joker and found them in
Korea: 

#############################
#whois 61.103.229.204

IPv4 Address       : 61.103.229.0-61.103.229.255
Network Name       : DREAMX-CATV-DAECHEON-SR
Connect ISP Name   : DREAMX
Connect Date       : 20020325
Registration Date  : 20020424

[ Organization Information ]
Organization ID    : ORG242785
Org Name           : Daecheon Catv
State              : CHUNGNAM
Address            : 562-1, Dongdae-dong, Boryeong-si
Zip Code           : 355-140

[ Admin Contact Information]
Name               : Changjae Lim
Org Name           : Daecheon Catv
State              : CHUNGNAM
Address            : 562-1, Dongdae-dong, Boryeong-si
Zip Code           : 355-140
Phone              : +82-41-931-3844
Fax                : +82-41-933-3846
E-Mail             : qkdthdtk at hanmail.net

[ Technical Contact Information ]
Name               : Changjae Lim
Org Name           : Daecheon Catv
State              : CHUNGNAM
Address            : 562-1, Dongdae-dong, Boryeong-si
Zip Code           : 355-140
Phone              : +82-41-931-3844
Fax                : +82-41-933-3846
E-Mail             : qkdthdtk at hanmail.net
#########################

It _seems_ as though his attempts to ssh into my PC were unsuccessful,
but could you guys confirm that from the limited trace I pasted above?

Needless to say I killed ssh as a service since I am not using it and
only had there "in case" I did want it sometime soon.

Regards, Gavin

More information about the plug mailing list