Remote ssh attack: sshd tries to make udp connection to a remote host
For grsec policy related questions I suggest using the upstream
grsec mailing list.
On Sat, 2007-12-29 at 18:11 +0100, email@example.com wrote:
> I've found a bunch of these messages in my log:
> "grsec: From 18.104.22.168: (root:U:/usr/sbin/sshd) denied connect() to
> 22.214.171.124 port 0 sock type dgram protocol udp by /usr/sbin/sshd[sshd:19031]
> uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:4997] uid/euid:0/0
> Along with these:
> "Address 126.96.36.199 maps to cameo.com.tw, but this does not map back to
> address - POSSIBLE BREAK-IN ATTEMPT!"
> Is it a normal behavior of the sshd to make udp connections to remote
> host? Especially using port 0? I have a feeling somebody could make my
> sshd do bad things without grsec's RBAC system.
> It annoys me. Are there anybody on the list with the same experience or
> who knows more about this?
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962