[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hundreds of sshd processes spawned by Postgresql

On Fri, 25 Jun 2010 03:30:52 -0500
Stan Hoeppner <stan@hardwarefreak.com> wrote:

> Marc Shapiro put forth on 6/24/2010 9:47 AM:
> 
> > I am getting lines 
> > like:
> > tcp        0      1 192.168.1.2:49526       59.120.141.34:22        SYN_SENT    9853/sshd
> > tcp        0      0 192.168.1.2:35055      59.120.163.53:22        ESTABLISHED 9995/sshd
> 
> It appears someone has cracked/pwn3d your Debian host.  That's an _outbound_
> SSH connection.  59.120.163.53 is HINET network space in Taiwan.
> 
> You need to pull the cable on the machine, or firewall out all SSH connections
> but _yours_ and clean up the box.  Given that they're able to make _outbound_
> ssh connections from your host, they likely have root access already and/or
> have installed a rootkit.

Why is outbound ssh access indicative of root access?

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: