Re: Hundreds of sshd processes spawned by Postgresql
From: Stan Hoeppner <stan@hardwarefreak.com>
> If you were unable to find any inbound connections whilst these ~300
> outbound connections were present,
Has anyone come up with a viable theory as to why outbound connections would be initiated by sshd (or something calling itself sshd) as opposed to ssh?
> and given that restarting the box caused
> the ~300 ssh processes to instantly start up again and connect to Taiwan
> and God knows where else, it's pretty clear that code of one kind or
> another, either a script or a binary, has been uploaded to your system by
> the cracker.
Actually, the connections were restarted after I KILLED them. AFTER that I shut the system and the router down. When I restarted the system (with the router still down) the connections did NOT return. Nor did they return when the system was restarted after the router was rebooted. It looks like someone gained entrance to the system and started up a script, or binary, or simply a command, that made these connections (distributed DOS attack, possibly), but made no effort, or was unsuccessful at insuring that it would survive a reboot. I DO need to harden the system, possibly after a clean install of Squeeze, since that was probably in my near future, anyway. I also have no need for Apache to be running, so, default or not, it is being removed from /etc/init.d. I will also insure that the firewall does not have any ports open that I don't need, which should mean just about everything closed down tight.
--
Marc Shapiro
mshapiro_42@yahoo.com
Reply to: