I have just seen something odd on a principal server (suse 10.0) in our DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I saw a different user running ssh_scan. Me thinks, this is not right. So, I started by changing passwords for all, and rebooting. Then I notice on the freshly booted system: root 4137 1 0 14:16 ? 00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid jan 4755 1 0 14:17 ? 00:00:00 /usr/sbin/sshd netstat tells me tcp 0 0 :::22 :::* LISTEN 4137/sshd udp 0 0 0.0.0.0:32775 0.0.0.0:* 4755/sshd So this unexpected sshd has udp port 32775 open. How odd. User jan should not be running anything, let alone sshd. If I kill it. it comes back. I checked the /usr/sbin/sshd and it has a correct checksum compared to an internal machine. So then I looked in inittab and the rc scripts (process 1 is init) to see if anything there looks odd. I do not see anything the gives me a clue as to why this is running. Of course the rc scripts are harder to check as they run programs that run programs, etc. I did a check to see what is different from the installed RPMs. Nothing looked odd. I had a look at http://suseforums.net/index.php?showtopic=31358 which seems to be describing the same thing. Except that in my case, the odd sshd is still running after the reboot. And it will not go away... Anyone seen/heard of this specific exploit? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org