From: Hanspeter Spalinger <deb...@spahan.ch> > schrieb Tom Furie: >> On Fri, Jun 25, 2010 at 08:55:32AM -0400, Celejar wrote: >>> On Fri, 25 Jun 2010 03:30:52 -0500 >>> Stan Hoeppner wrote: >>> >>>> Marc Shapiro put forth on 6/24/2010 9:47 AM: >>>> >>>>> I am getting lines like: >>>>> tcp 0 1 192.168.1.2:49526 59.120.141.34:22 >>>>> SYN_SENT 9853/sshd >>>>> tcp 0 0 192.168.1.2:35055 59.120.163.53:22 >>>>> ESTABLISHED 9995/sshd >>>> >>>> It appears someone has cracked/pwn3d your Debian host. That's an >>>> _outbound_ >>>> SSH connection. 59.120.163.53 is HINET network space in Taiwan. >>> >>> Why is outbound ssh access indicative of root access? >> >> The thing that confuses me here is that these look like outbound >> connections, from a local high port to a remote :22, but then >> why are they ssh*d* processes rather than ssh? Some sort of >> port-forwarding
I was also curious about this, but I don't know just how ssh and sshd work, so I had not yet commented. > That was my first guess too, but I was not able to reproduce the OPs > output by using port forwarding.Forwarded ports on my lenny host > do NOT apear using sshd as process name in netstat, they apear with /0 at the > end in netstat (anyone can explain why and what exactly this means?) > > So my next guess would be they just use a special crafted application > (maybe inserted by hacking postgresql and run by that account, as the OP > mentioned those Processes are owned by postgresql). But then why use > sshd as camouflage? wouldn't ssh be more reasonable and less weird (as a > sshd connecting outbound is a weird thing)? If so, might I fix this by purging posgrsql from the system? > > And about the root, i don't think they have root access since if so, > they would use a root-kit which tries hide those connections and > processes by not showing them in ps and netstat (at least the rootkits i > have read about so far do that). So I would guess this too looks like > postgresql server got hacked but not root (so far)? That, at least, sounds encouraging. Maybe I CAN just purge postgresql, remove the postgres user, and make sure there are no references in /etc/init.d? > (Could any security guru tell me if this sounds reasonable? or am i > completly thinking the wrong way?) > > On the other side this all could be just a camouflage (?) but that > wouldnt make lot sense as postgresql doing sshd is not realy a good > camouflage... For now, the system is powered down and the FIOS router is disconnected. Whoever got to my box had to get past the router's firewall, so I am hoping that it gets a new IP address when I do plug it back in. I'm trying to figure how a cracker got past the firewall. I know that firewalls are not perfect, but it keeps most ports closed, by default, and I do not think that I opened any up. -- Marc Shapiro mshapiro...@yahoo.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/814793.76148...@web55502.mail.re4.yahoo.com