On Thu, Feb 21, 2008 at 03:12:09PM +0100, Roger Oberholtzer wrote:
I have just seen something odd on a principal server (suse 10.0) in our DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I saw a different user running ssh_scan. Me thinks, this is not right. So, I started by changing passwords for all, and rebooting. Then I notice on the freshly booted system:
root 4137 1 0 14:16 ? 00:00:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid jan 4755 1 0 14:17 ? 00:00:00 /usr/sbin/sshd
netstat tells me
tcp 0 0 :::22 :::* LISTEN 4137/sshd udp 0 0 0.0.0.0:32775 0.0.0.0:* 4755/sshd
So this unexpected sshd has udp port 32775 open. How odd.
User jan should not be running anything, let alone sshd. If I kill it. it comes back. I checked the /usr/sbin/sshd and it has a correct checksum compared to an internal machine. So then I looked in inittab and the rc scripts (process 1 is init) to see if anything there looks odd. I do not see anything the gives me a clue as to why this is running. Of course the rc scripts are harder to check as they run programs that run programs, etc. I did a check to see what is different from the installed RPMs. Nothing looked odd.
Programs can rename themselves for the process list. What does the symlink /proc/4755/exe point to? It might be some kind of trojan/daemon/services the user is trying to hide from you. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org