Date: Thu, 20 Dec 2001 01:44:08 -0500 From: Jim Conner <jconner@enterit.com> To: freebsd-questions@FreeBSD.ORG Subject: OPENSSH protocol 1 and a strange opened port normal? Message-ID: <5.1.0.14.0.20011220011620.04716950@mail.enterit.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G'eve'n folks. May I request some brief assistance from the fellow BSD'ers out there? First, the following snippets: __SNIP__ tcp4 0 0 *.6668 *.* LISTEN tcp4 0 0 *.6669 *.* LISTEN tcp46 0 0 *.80 *.* LISTEN tcp4 0 0 *.52323 *.* LISTEN <-- NOTE should not be opened! udp4 0 0 *.2445 *.* [root@zap /etc/ssh]# lsof | grep TCP | grep 52323 - -bash 189 root 3u IPv4 0xc8824d80 0t0 TCP *:52323 (LISTEN) [root@zap /etc/ssh]# lsof | grep bash - -bash 189 root cwd VDIR 13,131072 1024 2 / <-- our culprit...to ** - -bash 189 root rtd VDIR 13,131072 1024 2 / - -bash 189 root txt VREG 13,131078 589759 119295 /usr/local (/dev/da0s1g) - -bash 189 root txt VREG 13,131077 75152 222278 /usr/libexec/ld-elf.so.1 - -bash 189 root txt VREG 13,131077 11712 143265 /usr/lib/libdescrypt.so.2 - -bash 189 root txt VREG 13,131077 32736 142934 /usr/lib/libutil.so.3 - -bash 189 root txt VREG 13,131077 559196 142943 /usr/lib/libc.so.4 - -bash 189 root 0u VCHR 2,2 0t0 7965 /dev/null - -bash 189 root 1u VCHR 2,2 0t0 7965 /dev/null - -bash 189 root 2u VCHR 2,2 0t0 7965 /dev/null - -bash 189 root 3u IPv4 0xc8824d80 0t0 TCP *:52323 (LISTEN) <-- ** to here bash 80501 notjames cwd VDIR 13,131075 512 15616 /services/users/notjames bash 80501 notjames rtd VDIR 13,131072 1024 2 / bash 80501 notjames txt VREG 13,131078 780720 7953 /usr/local/bin/bash bash 80501 notjames 0u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80501 notjames 1u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80501 notjames 2u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80501 notjames 255u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80532 root cwd VDIR 13,131072 512 3 /etc/ssh bash 80532 root rtd VDIR 13,131072 1024 2 / bash 80532 root txt VREG 13,131078 780720 7953 /usr/local/bin/bash bash 80532 root 0u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80532 root 1u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80532 root 2u VCHR 5,0 0t30652 8287 /dev/ttyp0 bash 80532 root 255u VCHR 5,0 0t30652 8287 /dev/ttyp0 [root@zap /etc/ssh]# ps awuxw | grep bash root 81009 0.0 0.6 1060 732 p0 R+ 12:52AM 0:00.00 -su (bash) root 189 0.0 0.5 1212 576 ?? Is 12Dec01 0:02.48 -bash <-- our culprit notjames 80501 0.0 0.6 1064 736 p0 Is 12:11AM 0:00.07 -bash (bash) root 80532 0.0 0.6 1060 732 p0 S 12:11AM 0:00.20 -su (bash) [root@zap /etc/ssh]# __END_SNIP__ For some reason I don't have fuser on my box...that's another question I have...WHY? Anyone else missing that one or am I a bastard child there? Possibly machine was compromised. This is what I am trying to find out. Judging from the lsof output it looks like it might be a real ssh daemon but why on earth would the process be called -bash? Why wouldn't it be called sshd (child of the main process). I am thinking this might be an openssh thing. I am running a more recent version (I built from ports) openssh. __SNIP__ [root@zap /var]# sshd -v sshd: illegal option -- v sshd version OpenSSH_3.0.2 [root@zap /var]# telnet localhost 52323 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.5-1.2.27 __END_SNIP__ So I know that that port leads to some kind of ssh and a very old one at that :( I killed my current daemon to see if that killed the rogue ssh daemon and it didn't. I can kill this daemon manually but that wouldn't help me find out where its getting kicked off from. I ran a standard find (realizing that I might have been trojaned, I replaced my current find with a fresh shiny new copy of find) and I searched for bash. I found nothing but the usual bash. I tested that bash and it acts completely normal. So, anyone have any suggestions? I have to have missed something. - - Jim Philosophy is for those who have nothing better to do than wonder why philosophy is for those who have nothing better to do than... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>; iQA/AwUBPCGIt9snJUihkt7CEQIO2QCg699HWy6zPdv7wK5LO6Uvqmxv/mYAnRQ6 +cJ7/GjHdzq5DkLRsrRX11Dj =LZgg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011220011620.04716950>