Re: Hundreds of sshd processes spawned by Postgresql
Ron Johnson put forth on 6/25/2010 3:00 PM:
> On 06/25/2010 01:47 PM, Marc Shapiro wrote:
>>
>>
>> From: Hanspeter Spalinger<debian@spahan.ch>
> [snip]
>>>
>>> On the other side this all could be just a camouflage (?) but that
>>> wouldnt make lot sense as postgresql doing sshd is not realy a good
>>> camouflage...
>>
>> For now, the system is powered down and the FIOS router is
>> disconnected. Whoever got to my box had to get past the router's
>> firewall, so I am hoping that it gets a new IP address when I do plug
>> it back in. I'm trying to figure how a cracker got past the
>> firewall. I know that firewalls are not perfect, but it keeps most
>> ports closed, by default, and I do not think that I opened any up.
>>
>
> You might also want to go to a postgresql mailing list, since there
> *might* be a more innocuous explanation.
It's hard to tell with a generic Yahoo email address, but looking at the IP
ownership of one of his hops in Yahooland, I'm guessing Marc is state side.
His box is making unauthorized ssh attempts/connections to places like:
Name: cdns.infolinker.com.tw
Address: 59.120.163.53
That's the only example of the ~300 Marc has shared thus far that I recall.
He's in the U.S. This unknown connection was made to a host in Taiwan. I'm
guessing the other ~299 processes are connecting to hosts all over the world
that have nothing to do with Marc. I don't see how there could be an
innocuous explanation for this.
It seems pretty clear that someone owned his box and is using it for launching
brute force SSH attacks against hosts all over the place.
He should still definitely get on the postgre list and inquire as to why his
postgre user is doing what's it is today.
--
Stan
Reply to: