Re: Hundreds of sshd processes spawned by Postgresql

[Hanspeter Spalinger <hanfi@spahan.ch>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 24.06.10 04:58, schrieb Marc Shapiro:
> I am running a Lenny box, with postgressq-8.4.
> 
> I ran ps -e, just now, and there were over 350 sshd processes running under user postgres.  I killed the postgresql-8.4 process, but the sshd processes were still there, so I killed them.  I then started postgres again, followed by ssh.  I immediately ran ps -e and the where over 200 sshd processes, again.  Is this normal?  There should not be anything running, that I know of, that should be accessing any databases.
> 
> I have again killed postgresql and sshd processes.  I am hoping for an answer before I restart ssh, but that will keep me from connecting via ssh from my laptop.
> 
> Any help appreciated.
> 
>  -- 
> Marc Shapiro
> mshapiro_42@yahoo.com
> 
> 

- - are those sshds logins (eg, not servers)?
check 'netstat -anp | grep sshd'.
if those processes are LISTEN, they are servers, if they are
ESTABLISHED, you seeing login (attempts maybe)

If those are servers, you most likely got hacked -> get help from google
and friends for advice.
If those are login (attempts) read on.

- - are those actual connections or just login attempts? On my squeeze
logged in users show 2 lines like:
root     26011  [...]        Ss   15:04   0:00 sshd: spahan [priv]
spahan   26013  [...]        S    15:04   0:00 sshd: spahan@pts/1
For login attempts it shows
root     26126  [...]        Ss   15:24   0:00 sshd: spahan [priv]
sshd     26127  [...]        S    15:24   0:00 sshd: spahan [net]

pstree may help too identify this:

├─sshd(1174)─┬─sshd(26011)───sshd(26013)───bash(26014)───pstree(26128)
│            ├─sshd(26107)───sshd(26110)───bash(26111)
│            └─sshd(26126)───sshd(26127)

(first and second line is a succseffully logged in user, third line is a
login attempt)

If those are just login-attempts, someone is trying to bruteforce a
login or ddos you, if your pws and keys are strong, you may ignore this
or use something like fail2ban to slow them down -> check google for
"sshd bruteforce" you find lot of different ways to deal with this

If those are successfull logins, check /var/log/auth.log, it should tell
you how people logged in (eg, password or keylogin).

In any case, i dont think the default posgresql setup allows ssh-login
into a lenny box.
Somehow someone had to enable this. If it was not you, you got hacked
and you computer (and its data) is not save anymore. -> check google and
friends for recovery/advice.
If you did setup this (for backup/maintenance from external hosts for
example), you should check the password (if pw login was used) or the
key (if keylogin was used). If key-login, did you created the key during
the "debian-key-debakel" where weak keys been generated? Did you updated
that key after the leak (i remember the update to solve the problem
searched for keys, but maybe it didnt found that one?)
Or maybe your external maintenance/backup script runs wild?


Good Luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAkwjYaEACgkQpjmLjrU66/4zcwEAgYmHhzp+RNqkd6Hm1Tfnf6RG
Ns4M7eNo2zB7zeafee4A/3e8k3GvnhmgXxqQIpOlBefv2VHxe27n+qiYIrlC635S
=MPng
-----END PGP SIGNATURE-----