[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hundreds of sshd processes spawned by Postgresql

Marc Shapiro put forth on 6/24/2010 9:47 AM:

> I am getting lines 
> like:
> tcp        0      1 192.168.1.2:49526       59.120.141.34:22        SYN_SENT    9853/sshd
> tcp        0      0 192.168.1.2:35055      59.120.163.53:22        ESTABLISHED 9995/sshd

It appears someone has cracked/pwn3d your Debian host.  That's an _outbound_
SSH connection.  59.120.163.53 is HINET network space in Taiwan.

You need to pull the cable on the machine, or firewall out all SSH connections
but _yours_ and clean up the box.  Given that they're able to make _outbound_
ssh connections from your host, they likely have root access already and/or
have installed a rootkit.

Your only truly safe bet it to wipe the machine's disks and reinstall Debian
from scratch.  Backup your database first and any critical files.

-- 
Stan
Reply to: