system seems hacked...

Thu Feb 21 12:37:03 PST 2008

Roger Oberholtzer wrote:
> I have just seen something odd on a principal server (suse 10.0) in our
> DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I
> saw a different user running ssh_scan. Me thinks, this is not right. So,
> I started by changing passwords for all, and rebooting. Then I notice on
> the freshly booted system:
>
> root      4137     1  0 14:16 ?        00:00:00 /usr/sbin/sshd -o
> PidFile=/var/run/sshd.init.pid
> jan       4755     1  0 14:17 ?        00:00:00 /usr/sbin/sshd
>
>
> netstat tells me
>
> tcp        0      0 :::22                   :::*
> LISTEN      4137/sshd
> udp        0      0 0.0.0.0:32775           0.0.0.0:*
> 4755/sshd
>
> So this unexpected sshd has udp port 32775 open. How odd.
>
> User jan should not be running anything, let alone sshd. If I kill it.
> it comes back. I checked the /usr/sbin/sshd and it has a correct
> checksum compared to an internal machine. So then I looked in inittab
> and the rc scripts (process 1 is init) to see if anything there looks
> odd. I do not see anything the gives me a clue as to why this is
> running. Of course the rc scripts are harder to check as they run
> programs that run programs, etc. I did a check to see what is different
> from the installed RPMs. Nothing looked odd.
>
> I had a look at http://suseforums.net/index.php?showtopic=31358 which
> seems to be describing the same thing. Except that in my case, the odd
> sshd is still running after the reboot. And it will not go away...
>
> Anyone seen/heard of this specific exploit?
>
>   
No I haven't. Have  you tried chkrootkit and rkhunter to see if they can 
identify it?

Also probably not going to work if it's hiding itself but try pstree 
which may show you the parent process.