Re: Hundreds of sshd processes spawned by Postgresql
Sorry, Hanspeter, for the extra posting to you directly.
----- Original Message ----
> From: Hanspeter Spalinger <hanfi@spahan.ch>
> schrieb Marc Shapiro:
> I am running a Lenny box, with
>
postgressq-8.4.
>
> I ran ps -e, just now, and there were
over 350
> sshd processes running under user postgres. I killed
the postgresql-8.4
> process, but the sshd processes were still
there, so I killed them. I then
> started postgres again,
followed by ssh. I immediately ran ps -e and the
> where over
200 sshd processes, again. Is this normal? There should
> not
be anything running, that I know of, that should be accessing any
> databases.
- - are those sshds logins (eg, not servers)?
check 'netstat -anp |
> grep sshd'.
if those processes are LISTEN,
they are servers, if they
> are
ESTABLISHED, you seeing login
(attempts maybe)
If those are
> servers, you most likely
got hacked -> get help from google
and friends
> for
advice.
If those are login (attempts) read on.
- - are those
> actual connections or just login attempts? On my squeeze
logged in
users show
> 2 lines like:
root 26011 [...]
> Ss 15:04 0:00 sshd: spahan [priv]
spahan 26013
>
[...] S 15:04 0:00 sshd:
> spahan@pts/1
For login
attempts it shows
root 26126
> [...] Ss 15:24
0:00 sshd: spahan
> [priv]
sshd 26127 [...]
> S 15:24 0:00 sshd: spahan [net]
I am getting lines
like:
tcp 0 1 192.168.1.2:49526 59.120.141.34:22 SYN_SENT 9853/sshd
tcp 0 0 192.168.1.2:35055 59.120.163.53:22 ESTABLISHED 9995/sshd
Most of the lines (about 120?) say ESTABLISHED. Only about 6 say SYN_SENT.
Does
this mean someone is attempting to connect, but has not yest been
successful?
I will check pstree after I get home from work.
Meanwhile, I keep shutting shown postgres and killing the processes.
--
Marc Shapiro
mshapiro_42@yahoo.com
Reply to: