Re: Hundreds of sshd processes spawned by Postgresql
From: Hanspeter Spalinger <debian@spahan.ch>
> schrieb Tom Furie:
>> On Fri, Jun 25, 2010 at 08:55:32AM -0400, Celejar wrote:
>>> On Fri, 25 Jun 2010 03:30:52 -0500
>>> Stan Hoeppner wrote:
>>>
>>>> Marc Shapiro put forth on 6/24/2010 9:47 AM:
>>>>
>>>>> I am getting lines like:
>>>>> tcp 0 1 192.168.1.2:49526 59.120.141.34:22 SYN_SENT 9853/sshd
>>>>> tcp 0 0 192.168.1.2:35055 59.120.163.53:22 ESTABLISHED 9995/sshd
>>>>
>>>> It appears someone has cracked/pwn3d your Debian host. That's an _outbound_
>>>> SSH connection. 59.120.163.53 is HINET network space in Taiwan.
>>>
>>> Why is outbound ssh access indicative of root access?
>>
>> The thing that confuses me here is that these look like outbound
>> connections, from a local high port to a remote :22, but then
>> why are they ssh*d* processes rather than ssh? Some sort of
>> port-forwarding
I was also curious about this, but I don't know just how ssh and sshd work, so I had not yet commented.
> That was my first guess too, but I was not able to reproduce the OPs
> output by using port forwarding.Forwarded ports on my lenny host
> do NOT apear using sshd as process name in netstat, they apear with /0 at the
> end in netstat (anyone can explain why and what exactly this means?)
>
> So my next guess would be they just use a special crafted application
> (maybe inserted by hacking postgresql and run by that account, as the OP
> mentioned those Processes are owned by postgresql). But then why use
> sshd as camouflage? wouldn't ssh be more reasonable and less weird (as a
> sshd connecting outbound is a weird thing)?
If so, might I fix this by purging posgrsql from the system?
>
> And about the root, i don't think they have root access since if so,
> they would use a root-kit which tries hide those connections and
> processes by not showing them in ps and netstat (at least the rootkits i
> have read about so far do that). So I would guess this too looks like
> postgresql server got hacked but not root (so far)?
That, at least, sounds encouraging. Maybe I CAN just purge postgresql, remove the postgres user, and make sure there are no references in /etc/init.d?
> (Could any security guru tell me if this sounds reasonable? or am i
> completly thinking the wrong way?)
>
> On the other side this all could be just a camouflage (?) but that
> wouldnt make lot sense as postgresql doing sshd is not realy a good
> camouflage...
For now, the system is powered down and the FIOS router is disconnected. Whoever got to my box had to get past the router's firewall, so I am hoping that it gets a new IP address when I do plug it back in. I'm trying to figure how a cracker got past the firewall. I know that firewalls are not perfect, but it keeps most ports closed, by default, and I do not think that I opened any up.
--
Marc Shapiro
mshapiro_42@yahoo.com
Reply to: