[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hundreds of sshd processes spawned by Postgresql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 25.06.10 18:51, schrieb Tom Furie:
> On Fri, Jun 25, 2010 at 08:55:32AM -0400, Celejar wrote:
>> On Fri, 25 Jun 2010 03:30:52 -0500
>> Stan Hoeppner <stan@hardwarefreak.com> wrote:
>>
>>> Marc Shapiro put forth on 6/24/2010 9:47 AM:
>>>
>>>> I am getting lines 
>>>> like:
>>>> tcp        0      1 192.168.1.2:49526       59.120.141.34:22        SYN_SENT    9853/sshd
>>>> tcp        0      0 192.168.1.2:35055      59.120.163.53:22        ESTABLISHED 9995/sshd
>>>
>>> It appears someone has cracked/pwn3d your Debian host.  That's an _outbound_
>>> SSH connection.  59.120.163.53 is HINET network space in Taiwan.
>>
>> Why is outbound ssh access indicative of root access?
> 
> The thing that confuses me here is that these look like outbound
> connections, from a local high port to a remote :22, but then why are
> they ssh*d* processes rather than ssh? Some sort of port-forwarding?
That was my first guess too, but I was not able to reproduce the OPs
output by using port forwarding.
Forwarded ports on my lenny host do NOT apear using sshd as process name
in netstat, they apear with /0 at the end in netstat (anyone can explain
why and what exactly this means?)

So my next guess would be they just use a special crafted application
(maybe inserted by hacking postgresql and run by that account, as the OP
mentioned those Processes are owned by postgresql). But then why use
sshd as camouflage? wouldn't ssh be more reasonable and less weird (as a
sshd connecting outbound is a weird thing)?

And about the root, i don't think they have root access since if so,
they would use a root-kit which tries hide those connections and
processes by not showing them in ps and netstat (at least the rootkits i
have read about so far do that). So I would guess this too looks like
postgresql server got hacked but not root (so far)?
(Could any security guru tell me if this sounds reasonable? or am i
completly thinking the wrong way?)

On the other side this all could be just a camouflage (?) but that
wouldnt make lot sense as postgresql doing sshd is not realy a good
camouflage...
> 
> Cheers,
> Tom
> 
Confused too
HP
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAkwk5aUACgkQpjmLjrU66/5bFwD9Hf/zz8ywcdtWaaTunzf/chjE
8tOevltfjSAkPQd62Z4A/0ftRdVS8zPRKkPbWXUcQ2mk6Hhf76HMoeTyKfjccHdz
=FSPM
-----END PGP SIGNATURE-----
Reply to: