system seems hacked...

Thu Feb 21 06:12:09 PST 2008

I have just seen something odd on a principal server (suse 10.0) in our
DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I
saw a different user running ssh_scan. Me thinks, this is not right. So,
I started by changing passwords for all, and rebooting. Then I notice on
the freshly booted system:

root      4137     1  0 14:16 ?        00:00:00 /usr/sbin/sshd -o
PidFile=/var/run/sshd.init.pid
jan       4755     1  0 14:17 ?        00:00:00 /usr/sbin/sshd

netstat tells me

tcp        0      0 :::22                   :::*
LISTEN      4137/sshd
udp        0      0 0.0.0.0:32775           0.0.0.0:*
4755/sshd

So this unexpected sshd has udp port 32775 open. How odd.

User jan should not be running anything, let alone sshd. If I kill it.
it comes back. I checked the /usr/sbin/sshd and it has a correct
checksum compared to an internal machine. So then I looked in inittab
and the rc scripts (process 1 is init) to see if anything there looks
odd. I do not see anything the gives me a clue as to why this is
running. Of course the rc scripts are harder to check as they run
programs that run programs, etc. I did a check to see what is different
from the installed RPMs. Nothing looked odd.

I had a look at http://suseforums.net/index.php?showtopic=31358 which
seems to be describing the same thing. Except that in my case, the odd
sshd is still running after the reboot. And it will not go away...

Anyone seen/heard of this specific exploit?

-- 
Roger Oberholtzer

OPQ Systems / Ramböll RST

Ramböll Sverige AB
Kapellgränd 7
P.O. Box 4205
SE-102 65 Stockholm, Sweden

Office: Int +46 8-615 60 20
Mobile: Int +46 70-815 1696