[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hundreds of sshd processes spawned by Postgresql

Marc Shapiro put forth on 6/27/2010 12:57 AM:
> From: Stan Hoeppner <stan@hardwarefreak.com>
> 
>> If you were unable to find any inbound connections whilst these ~300
>> outbound connections were present, 
> 
> Has anyone come up with a viable theory as to why outbound connections would be initiated by sshd (or something calling itself sshd) as opposed to ssh?

To be frank, you're focusing on the least significant aspect of this break in
here.  This is pretty much irrelevant given the scope of the problem, a minor
detail, a blip on the radar so to speak.

>> and given that restarting the box caused
>> the ~300 ssh processes to instantly start up again and connect to Taiwan
>> and God knows where else, it's pretty clear that code of one kind or
>> another, either a script or a binary, has been uploaded to your system by
>> the cracker. 
> 
> Actually, the connections were restarted after I KILLED them.  AFTER that I shut the system and the router down.  When I restarted the system (with the router still down) the connections did NOT return.  Nor did they return when the system was restarted after the router was rebooted.  It looks like someone gained entrance to the system and started up a script, or binary, or simply a command, that made these connections (distributed DOS attack, possibly), but made no effort, or was unsuccessful at insuring that it would survive a reboot.  I DO need to harden the system, possibly after a clean install of Squeeze, since that was probably in my near future, anyway.  I also have no need for Apache to be running, so, default or not, it is being removed from /etc/init.d.  I will also insure that the firewall does not have any ports open that I don't need, which should mean just about everything closed down tight.

This is where you should focus your effort, and it sounds like you have a good
game plan for moving forward.  After you get all this worked out, _then_ worry
about the sshd vs ssh issue above, if you even care to take the time at that
point.  You probably won't.

-- 
Stan
Reply to: