[opensuse] system seems hacked...
Nick Zeljkovic
nzeljkovic at site5.com
Thu Feb 21 06:22:17 PST 2008
I have just seen something odd on a principal server (suse 10.0) in our
DMZ. At first, I saw a user running ftp_scan on a zillion ports. Then I
saw a different user running ssh_scan. Me thinks, this is not right. So,
I started by changing passwords for all, and rebooting. Then I notice on
the freshly booted system:
root 4137 1 0 14:16 ? 00:00:00 /usr/sbin/sshd -o
PidFile=/var/run/sshd.init.pid
jan 4755 1 0 14:17 ? 00:00:00 /usr/sbin/sshd
netstat tells me
tcp 0 0 :::22 :::*
LISTEN 4137/sshd
udp 0 0 0.0.0.0:32775 0.0.0.0:*
4755/sshd
So this unexpected sshd has udp port 32775 open. How odd.
User jan should not be running anything, let alone sshd. If I kill it.
it comes back. I checked the /usr/sbin/sshd and it has a correct
checksum compared to an internal machine. So then I looked in inittab
and the rc scripts (process 1 is init) to see if anything there looks
odd. I do not see anything the gives me a clue as to why this is
running. Of course the rc scripts are harder to check as they run
programs that run programs, etc. I did a check to see what is different
from the installed RPMs. Nothing looked odd.
I had a look at http://suseforums.net/index.php?showtopic=31358 which
seems to be describing the same thing. Except that in my case, the odd
sshd is still running after the reboot. And it will not go away...
Anyone seen/heard of this specific exploit?
--
Roger Oberholtzer
</quote>
lsof -p PID
see where it's located, my best guess would be that it's a perl script forking itself again if you kill it. Find the source file and remove it.
--
Best regards,
Nick Zeljkovic
More information about the Linux-users
mailing list