-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am 24.06.10 04:58, schrieb Marc Shapiro: > I am running a Lenny box, with postgressq-8.4. > > I ran ps -e, just now, and there were over 350 sshd processes running under > user postgres. I killed the postgresql-8.4 process, but the sshd processes > were still there, so I killed them. I then started postgres again, followed > by ssh. I immediately ran ps -e and the where over 200 sshd processes, > again. Is this normal? There should not be anything running, that I know > of, that should be accessing any databases. > > I have again killed postgresql and sshd processes. I am hoping for an answer > before I restart ssh, but that will keep me from connecting via ssh from my > laptop. > > Any help appreciated. > > -- > Marc Shapiro > [email protected] > >
- - are those sshds logins (eg, not servers)? check 'netstat -anp | grep sshd'. if those processes are LISTEN, they are servers, if they are ESTABLISHED, you seeing login (attempts maybe) If those are servers, you most likely got hacked -> get help from google and friends for advice. If those are login (attempts) read on. - - are those actual connections or just login attempts? On my squeeze logged in users show 2 lines like: root 26011 [...] Ss 15:04 0:00 sshd: spahan [priv] spahan 26013 [...] S 15:04 0:00 sshd: spa...@pts/1 For login attempts it shows root 26126 [...] Ss 15:24 0:00 sshd: spahan [priv] sshd 26127 [...] S 15:24 0:00 sshd: spahan [net] pstree may help too identify this: ├─sshd(1174)─┬─sshd(26011)───sshd(26013)───bash(26014)───pstree(26128) │ ├─sshd(26107)───sshd(26110)───bash(26111) │ └─sshd(26126)───sshd(26127) (first and second line is a succseffully logged in user, third line is a login attempt) If those are just login-attempts, someone is trying to bruteforce a login or ddos you, if your pws and keys are strong, you may ignore this or use something like fail2ban to slow them down -> check google for "sshd bruteforce" you find lot of different ways to deal with this If those are successfull logins, check /var/log/auth.log, it should tell you how people logged in (eg, password or keylogin). In any case, i dont think the default posgresql setup allows ssh-login into a lenny box. Somehow someone had to enable this. If it was not you, you got hacked and you computer (and its data) is not save anymore. -> check google and friends for recovery/advice. If you did setup this (for backup/maintenance from external hosts for example), you should check the password (if pw login was used) or the key (if keylogin was used). If key-login, did you created the key during the "debian-key-debakel" where weak keys been generated? Did you updated that key after the leak (i remember the update to solve the problem searched for keys, but maybe it didnt found that one?) Or maybe your external maintenance/backup script runs wild? Good Luck. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAkwjYaEACgkQpjmLjrU66/4zcwEAgYmHhzp+RNqkd6Hm1Tfnf6RG Ns4M7eNo2zB7zeafee4A/3e8k3GvnhmgXxqQIpOlBefv2VHxe27n+qiYIrlC635S =MPng -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
