Sorry, Hanspeter, for the extra posting to you directly. ----- Original Message ---- > From: Hanspeter Spalinger <[email protected]> > schrieb Marc Shapiro: > I am running a Lenny box, with > postgressq-8.4. > > I ran ps -e, just now, and there were over 350 > sshd processes running under user postgres. I killed the postgresql-8.4 > process, but the sshd processes were still there, so I killed them. I then > started postgres again, followed by ssh. I immediately ran ps -e and the > where over 200 sshd processes, again. Is this normal? There should > not be anything running, that I know of, that should be accessing any > databases.
- - are those sshds logins (eg, not servers)? check 'netstat -anp | > grep sshd'. if those processes are LISTEN, they are servers, if they > are ESTABLISHED, you seeing login (attempts maybe) If those are > servers, you most likely got hacked -> get help from google and friends > for advice. If those are login (attempts) read on. - - are those > actual connections or just login attempts? On my squeeze logged in users show > 2 lines like: root 26011 [...] > Ss 15:04 0:00 sshd: spahan [priv] spahan 26013 > [...] S 15:04 0:00 sshd: > spa...@pts/1 For login attempts it shows root 26126 > [...] Ss 15:24 0:00 sshd: spahan > [priv] sshd 26127 [...] > S 15:24 0:00 sshd: spahan [net] I am getting lines like: tcp 0 1 192.168.1.2:49526 59.120.141.34:22 SYN_SENT 9853/sshd tcp 0 0 192.168.1.2:35055 59.120.163.53:22 ESTABLISHED 9995/sshd Most of the lines (about 120?) say ESTABLISHED. Only about 6 say SYN_SENT. Does this mean someone is attempting to connect, but has not yest been successful? I will check pstree after I get home from work. Meanwhile, I keep shutting shown postgres and killing the processes. -- Marc Shapiro [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
