-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am 25.06.10 18:51, schrieb Tom Furie: > On Fri, Jun 25, 2010 at 08:55:32AM -0400, Celejar wrote: >> On Fri, 25 Jun 2010 03:30:52 -0500 >> Stan Hoeppner <s...@hardwarefreak.com> wrote: >> >>> Marc Shapiro put forth on 6/24/2010 9:47 AM: >>> >>>> I am getting lines >>>> like: >>>> tcp 0 1 192.168.1.2:49526 59.120.141.34:22 >>>> SYN_SENT 9853/sshd >>>> tcp 0 0 192.168.1.2:35055 59.120.163.53:22 >>>> ESTABLISHED 9995/sshd >>> >>> It appears someone has cracked/pwn3d your Debian host. That's an _outbound_ >>> SSH connection. 59.120.163.53 is HINET network space in Taiwan. >> >> Why is outbound ssh access indicative of root access? > > The thing that confuses me here is that these look like outbound > connections, from a local high port to a remote :22, but then why are > they ssh*d* processes rather than ssh? Some sort of port-forwarding? That was my first guess too, but I was not able to reproduce the OPs output by using port forwarding. Forwarded ports on my lenny host do NOT apear using sshd as process name in netstat, they apear with /0 at the end in netstat (anyone can explain why and what exactly this means?)
So my next guess would be they just use a special crafted application (maybe inserted by hacking postgresql and run by that account, as the OP mentioned those Processes are owned by postgresql). But then why use sshd as camouflage? wouldn't ssh be more reasonable and less weird (as a sshd connecting outbound is a weird thing)? And about the root, i don't think they have root access since if so, they would use a root-kit which tries hide those connections and processes by not showing them in ps and netstat (at least the rootkits i have read about so far do that). So I would guess this too looks like postgresql server got hacked but not root (so far)? (Could any security guru tell me if this sounds reasonable? or am i completly thinking the wrong way?) On the other side this all could be just a camouflage (?) but that wouldnt make lot sense as postgresql doing sshd is not realy a good camouflage... > > Cheers, > Tom > Confused too HP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAkwk5aUACgkQpjmLjrU66/5bFwD9Hf/zz8ywcdtWaaTunzf/chjE 8tOevltfjSAkPQd62Z4A/0ftRdVS8zPRKkPbWXUcQ2mk6Hhf76HMoeTyKfjccHdz =FSPM -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c24e5a5.2040...@spahan.ch