Re: Hundreds of sshd processes spawned by Postgresql
Marc Shapiro put forth on 6/24/2010 9:47 AM:
> I am getting lines
> like:
> tcp 0 1 192.168.1.2:49526 59.120.141.34:22 SYN_SENT 9853/sshd
> tcp 0 0 192.168.1.2:35055 59.120.163.53:22 ESTABLISHED 9995/sshd
It appears someone has cracked/pwn3d your Debian host. That's an _outbound_
SSH connection. 59.120.163.53 is HINET network space in Taiwan.
You need to pull the cable on the machine, or firewall out all SSH connections
but _yours_ and clean up the box. Given that they're able to make _outbound_
ssh connections from your host, they likely have root access already and/or
have installed a rootkit.
Your only truly safe bet it to wipe the machine's disks and reinstall Debian
from scratch. Backup your database first and any critical files.
--
Stan
Reply to: