Sylvain Robitaille wrote:
> Anon E Muss wrote:
>
>> I recently noticed excessive acitivity on my router's activity LED and
>> did a little investigating. As immediate action, I used a big hammer
>> and firewalled off 218/8 until I can figure out what is going on here.
>> Yesterday, it was 201/8.
>
> Several followups already have suggested that your system is being
> attacked via the ssh port. I think folks have mis-read your netstat
> output.
>
>> Below is most of output of netstat. Can someone let me know what is
>> going on here?
>
> Your machine is port-scanning what appears to be 218.0.0.0/11 for ssh
> servers. You need to make it stop that. If you blocked 201/8
> yesterday, and 218/8 today, you might want to try to find what data it
> gathered in the meantime for 202/8 to 217/8. More seriously, you need
> to identify the process that is performing the scan, and stop it. Then
> you need to figure out how it got there and deal with that.
>
>> ... any suggestions??
>
> Look for a probable compromise by similar means. Judging by the
> client-side ports (on your system) used in the scan, I don't think that
> a privileged account was compromised (and therefore your system itself
> is probably not compromised, unless the compromised account was able to
> use local privilege escalation). Another frequent source of account
> compromise seems to be some web-based services.
>
> vvvvvvvvvvvvv vvvvvvvvvvvvvvv
>> Proto ... Local Address Foreign Address ...
>> tcp ... x-xx-x-xx-xx.xxxxxxxx:37775 218.25.160.246:ssh ...
>> tcp ... x-xx-x-xx-xx.lsa:safetynetp 218.25.17.78:ssh ...
>> tcp ... x-xx-x-xx-xx.xxxxxxxx:57080 218.25.228.66:ssh ...
>> tcp ... x-xx-x-xx-xx.xxxxxxxx:47493 218.25.164.66:ssh ...
>> tcp ... x-xx-x-xx-xx.xxxxxxxx:55216 218.25.23.202:ssh ...
>
> I hope I've helped ...

I'll agree. I missed it before that your machine was doing the
attacking, not the other way around. Either you've got a malicious
insider or you've been cracked from the outside.