Anon E Muss wrote:

> I recently noticed excessive acitivity on my router's activity LED and
> did a little investigating. As immediate action, I used a big hammer
> and firewalled off 218/8 until I can figure out what is going on here.
> Yesterday, it was 201/8.

Several followups already have suggested that your system is being
attacked via the ssh port. I think folks have mis-read your netstat
output.

> Below is most of output of netstat. Can someone let me know what is
> going on here?

Your machine is port-scanning what appears to be 218.0.0.0/11 for ssh
servers. You need to make it stop that. If you blocked 201/8
yesterday, and 218/8 today, you might want to try to find what data it
gathered in the meantime for 202/8 to 217/8. More seriously, you need
to identify the process that is performing the scan, and stop it. Then
you need to figure out how it got there and deal with that.

> ... any suggestions??

Look for a probable compromise by similar means. Judging by the
client-side ports (on your system) used in the scan, I don't think that
a privileged account was compromised (and therefore your system itself
is probably not compromised, unless the compromised account was able to
use local privilege escalation). Another frequent source of account
compromise seems to be some web-based services.

vvvvvvvvvvvvv vvvvvvvvvvvvvvv
> Proto ... Local Address Foreign Address ...
> tcp ... x-xx-x-xx-xx.xxxxxxxx:37775 218.25.160.246:ssh ...
> tcp ... x-xx-x-xx-xx.lsa:safetynetp 218.25.17.78:ssh ...
> tcp ... x-xx-x-xx-xx.xxxxxxxx:57080 218.25.228.66:ssh ...
> tcp ... x-xx-x-xx-xx.xxxxxxxx:47493 218.25.164.66:ssh ...
> tcp ... x-xx-x-xx-xx.xxxxxxxx:55216 218.25.23.202:ssh ...

I hope I've helped ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Network and Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------