[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hundreds of sshd processes spawned by Postgresql


From: Hanspeter Spalinger <debian@spahan.ch>
> schrieb Tom Furie:
>> On Fri, Jun 25, 2010 at 08:55:32AM -0400, Celejar  wrote:
>>> On Fri, 25 Jun 2010 03:30:52 -0500
>>> Stan Hoeppner  wrote:
>>>
>>>> Marc Shapiro put forth on 6/24/2010 9:47  AM:
>>>>
>>>>> I am getting lines like:
>>>>> tcp        0      1  192.168.1.2:49526       59.120.141.34:22         SYN_SENT    9853/sshd
>>>>> tcp        0      0 192.168.1.2:35055       59.120.163.53:22        ESTABLISHED  9995/sshd
>>>>
>>>> It appears someone has cracked/pwn3d  your Debian host.  That's an _outbound_
>>>> SSH  connection.  59.120.163.53 is HINET network space in  Taiwan.
>>>
>>> Why is outbound ssh access indicative of root  access?
>> 
>> The thing that confuses me here is that these look like  outbound
>> connections, from a local high port to a remote :22, but then 
>> why are they ssh*d* processes rather than ssh? Some sort of 
>> port-forwarding

I was also curious about this, but I don't know just how ssh and sshd work, so I had not yet commented.

> That was my first guess too, but I was not able to reproduce  the OPs
> output by using port forwarding.Forwarded ports on my lenny host 
> do NOT apear using sshd as process name in netstat, they apear with /0 at the 
> end in netstat (anyone can explain why and what exactly this  means?)
> 
> So my next guess would be they just use a special crafted  application
> (maybe inserted by hacking postgresql and run by that account, as  the OP
> mentioned those Processes are owned by postgresql). But then why  use
> sshd as camouflage? wouldn't ssh be more reasonable and less weird (as  a
> sshd connecting outbound is a weird thing)?

If so, might I fix this by purging posgrsql from the system?

> 
> And about the root, i  don't think they have root access since if so,
> they would use a root-kit  which tries hide those connections and
> processes by not showing them in ps  and netstat (at least the rootkits i
> have read about so far do that). So I  would guess this too looks like
> postgresql server got hacked but not root (so  far)?

That, at least, sounds encouraging.  Maybe I CAN just purge postgresql, remove the postgres user, and make sure there are no references in /etc/init.d?

> (Could any security guru tell me if this sounds reasonable? or am  i
> completly thinking the wrong way?)
> 
> On the other side this all could  be just a camouflage (?) but that
> wouldnt make lot sense as postgresql doing  sshd is not realy a good
> camouflage...

For now, the system is powered down and the FIOS router is disconnected.  Whoever got to my box had to get past the router's firewall, so I am hoping that it gets a new IP address when I do plug it back in.  I'm trying to figure how a cracker got past the firewall.  I know that firewalls are not perfect, but it keeps most ports closed, by default, and I do not think that I opened any up.

-- 
Marc Shapiro
mshapiro_42@yahoo.com
Reply to: