Folks, Has anyone run across this issue. When remotely logging into my SuSE 9.0 linux box using ssh, I notice that there are 2 sshd processes that seem to get spawned to service the login. Before upgrading to SuSE 9.0 from 8.3 there was only 1 sshd process for the login. My suspision is that my system has been compromised by an attacker, but don't know how to tell for sure or how to determine who the attacker might be. Can someone give some advice. Thanks Stuart root 20100 901 0 20:58 ? 00:00:00 sshd: <userid>@pts/5 root 20101 20100 0 20:58 ? 00:00:00 sshd: <userid>@pts/5 <userid> 20103 20100 2 20:58 pts/5 00:00:00 -bash <userid> 20323 20103 0 21:31 pts/5 00:00:00 ps -ef I have the following ssh and pam packages installed on SuSE 9.0 box. openssh-askpass-3.7.1p2-18 openssh-3.7.1p2-113 yast2-pam-2.8.5-65 pam-0.77-124 pam-modules-9.0-5 pam_krb5-1.3-54 pam-devel-0.77-124
On Tuesday 01 June 2004 11:16 pm, Stuart wrote:
Folks,
Has anyone run across this issue. When remotely logging into my SuSE 9.0 linux box using ssh, I notice that there are 2 sshd processes that seem to get spawned to service the login. Before upgrading to SuSE 9.0 from 8.3 there was only 1 sshd process for the login. My suspision is that my system has been compromised by an attacker, but don't know how to tell for sure or how to determine who the attacker might be. Can someone give some advice.
I get the same thing here on a 9.0 system except that I only get one entry for sshd. root 21737 2036 0 08:45 ? 00:00:00 sshd: <userid>@pts/39 <userid> 21738 21737 0 08:45 pts/39 00:00:00 -bash <userid> 21763 21762 0 08:45 pts/39 00:00:00 ps -ef I wouldn't be too concerned about it.
Thanks
Stuart
root 20100 901 0 20:58 ? 00:00:00 sshd: <userid>@pts/5 root 20101 20100 0 20:58 ? 00:00:00 sshd: <userid>@pts/5 <userid> 20103 20100 2 20:58 pts/5 00:00:00 -bash <userid> 20323 20103 0 21:31 pts/5 00:00:00 ps -ef
I have the following ssh and pam packages installed on SuSE 9.0 box.
openssh-askpass-3.7.1p2-18 openssh-3.7.1p2-113
yast2-pam-2.8.5-65 pam-0.77-124 pam-modules-9.0-5 pam_krb5-1.3-54 pam-devel-0.77-124
-- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 06/02/04 08:41 + +----------------------------------------------------------------------------+ "The Information Highway: 500 channels and not a thing to watch."
Bruce, Your results are what I expect. It's like I have multiple sshd services running at the same time, but on reboot there is only the one sshd process. I can't seem to find anything on this on the web, but will keep trying. Thanks for the response. Stuart On Wednesday June 2 2004 08:44, Bruce Marshall wrote:
I get the same thing here on a 9.0 system except that I only get one entry for sshd.
root 21737 2036 0 08:45 ? 00:00:00 sshd: <userid>@pts/39 <userid> 21738 21737 0 08:45 pts/39 00:00:00 -bash <userid> 21763 21762 0 08:45 pts/39 00:00:00 ps -ef
I wouldn't be too concerned about it.
participants (2)
-
Bruce Marshall
-
Stuart