Re: Hundreds of sshd processes spawned by Postgresql
On Fri, 25 Jun 2010 03:30:52 -0500
Stan Hoeppner <stan@hardwarefreak.com> wrote:
> Marc Shapiro put forth on 6/24/2010 9:47 AM:
>
> > I am getting lines
> > like:
> > tcp 0 1 192.168.1.2:49526 59.120.141.34:22 SYN_SENT 9853/sshd
> > tcp 0 0 192.168.1.2:35055 59.120.163.53:22 ESTABLISHED 9995/sshd
>
> It appears someone has cracked/pwn3d your Debian host. That's an _outbound_
> SSH connection. 59.120.163.53 is HINET network space in Taiwan.
>
> You need to pull the cable on the machine, or firewall out all SSH connections
> but _yours_ and clean up the box. Given that they're able to make _outbound_
> ssh connections from your host, they likely have root access already and/or
> have installed a rootkit.
Why is outbound ssh access indicative of root access?
Celejar
--
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: