Remote ssh attack: sshd tries to make udp connection to a remote host
 

For grsec policy related questions I suggest using the upstream
grsec mailing list.

On Sat, 2007-12-29 at 18:11 +0100, atoth@atoth.sote.hu wrote:
> I've found a bunch of these messages in my log:
> "grsec: From 219.87.17.209: (root:U:/usr/sbin/sshd) denied connect() to
> 219.87.17.3 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:19031]
> uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4997] uid/euid:0/0
> gid/egid:0/0"
> Along with these:
> "Address 219.87.17.209 maps to cameo.com.tw, but this does not map back to
> the
> address - POSSIBLE BREAK-IN ATTEMPT!"
>
> Is it a normal behavior of the sshd to make udp connections to remote
> host? Especially using port 0? I have a feeling somebody could make my
> sshd do bad things without grsec's RBAC system.
>
> It annoys me. Are there anybody on the list with the same experience or
> who knows more about this?
>
> Regards,
> Dw.
> --
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
>

--
gentoo-hardened@gentoo.org mailing list