I am running FreeBSD 7 and I get this in /var/log/security :
+++ /tmp/security.AIKARuA1 2009-06-30 03:05:17.000000000 +0500
+TCP: [69.147.83.36]:80 to [115.186.130.56]:50488 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1440 bytes of data after socket was closed, sending RST and removing tcpcb
+TCP: [69.147.83.36]:80 to [115.186.130.56]:55740 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1440 bytes of data after socket was closed, sending RST and removing tcpcb
+TCP: [69.147.83.33]:80 to [115.186.130.56]:52461 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1440 bytes of data after socket was closed, sending RST and removing tcpcb
+TCP: [69.147.83.36]:80 to [115.186.130.56]:57401 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1440 bytes of data after socket was closed, sending RST and removing tcpcb
What I can infer from here, which is quite obvious, is that client sent some data while the connection was supposed to be closed.
Could this be a case where I initiated an ssh session, got had a Man-in-the-Middle soemwhere without me knowing, and after I closed the SSH session he tried to connect again?
This can happen in cases where one side does an RST not a proper close, and if there's enough latency data can be in-flight for a while afterwards, or even due to queueing after both sides have closed.
In short, data after close is fairly innocuous as the session had to be up in the first place to cause that, so don't worry.
Look at the source address: [69.147.83.36]:80. Notice port 80 - it is a HTTP trafic. Somebody connects to your Web-server, write requests, gets data. Then your server shuts the connection down but your client doesn't understand this and continue sending requests.
It is not a security issue. It is possibly a misconfiguration of the server or bug in client.