From owner-freebsd-questions Thu Dec 20 8:18: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from tholian.rsasecurity.com (mail.rsasecurity.com [204.167.112.129]) by hub.freebsd.org (Postfix) with SMTP id 5000337B405 for ; Thu, 20 Dec 2001 08:18:00 -0800 (PST) Received: from sdtihq24.securid.com by tholian.rsasecurity.com via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 20 Dec 2001 16:17:47 UT Received: from ebola.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id LAA00677 for ; Thu, 20 Dec 2001 11:17:55 -0500 (EST) Received: from spirit.dynas.se (localhost [127.0.0.1]) by ebola.securitydynamics.com (8.10.2+Sun/8.9.1) with SMTP id fBKGHr022204 for ; Thu, 20 Dec 2001 11:17:53 -0500 (EST) Received: (qmail 4014 invoked from network); 20 Dec 2001 16:17:52 -0000 Received: from explorer.rsa.com (HELO mikko.rsa.com) (10.81.217.59) by spirit.dynas.se with SMTP; 20 Dec 2001 16:17:52 -0000 Received: (from mikko@localhost) by mikko.rsa.com (8.11.6/8.11.6) id fBKGHnN12415; Thu, 20 Dec 2001 08:17:49 -0800 (PST) (envelope-from mikko) Date: Thu, 20 Dec 2001 08:17:49 -0800 (PST) From: Mikko Tyolajarvi Message-Id: <200112201617.fBKGHnN12415@mikko.rsa.com> To: jconner@enterit.com Cc: questions@freebsd.org Subject: Re: OPENSSH protocol 1 and a strange opened port normal? Newsgroups: local.freebsd.questions References: <5.1.0.14.0.20011220011620.04716950@mail.enterit.com> X-Newsreader: NN version 6.5.6 (NOV) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In local.freebsd.questions you write: >G'eve'n folks. May I request some brief assistance from the fellow BSD'ers >out there? >First, the following snippets: >__SNIP__ [...] >tcp4 0 0 *.52323 *.* LISTEN ><-- NOTE should not be opened! >[root@zap /etc/ssh]# lsof | grep TCP | grep 52323 >- -bash 189 root 3u IPv4 0xc8824d80 0t0 TCP *:52323 >(LISTEN) >[root@zap /etc/ssh]# lsof | grep bash >- -bash 189 root cwd VDIR 13,131072 1024 2 / <-- our >culprit...to ** >- -bash 189 root rtd VDIR 13,131072 1024 2 / >- -bash 189 root txt VREG 13,131078 589759 119295 >/usr/local (/dev/da0s1g) It is using a device node as its text file? What is /dev/da0s1g on you machine? >- -bash 189 root txt VREG 13,131077 75152 222278 >/usr/libexec/ld-elf.so.1 >- -bash 189 root txt VREG 13,131077 11712 143265 >/usr/lib/libdescrypt.so.2 >- -bash 189 root txt VREG 13,131077 32736 142934 >/usr/lib/libutil.so.3 >- -bash 189 root txt VREG 13,131077 559196 142943 >/usr/lib/libc.so.4 >- -bash 189 root 0u VCHR 2,2 0t0 7965 /dev/null >- -bash 189 root 1u VCHR 2,2 0t0 7965 /dev/null >- -bash 189 root 2u VCHR 2,2 0t0 7965 /dev/null >- -bash 189 root 3u IPv4 0xc8824d80 0t0 TCP *:52323 >(LISTEN) <-- ** to here [...] >[root@zap /etc/ssh]# ps awuxw | grep bash >root 81009 0.0 0.6 1060 732 p0 R+ 12:52AM 0:00.00 -su (bash) >root 189 0.0 0.5 1212 576 ?? Is 12Dec01 0:02.48 -bash <-- >our culprit >notjames 80501 0.0 0.6 1064 736 p0 Is 12:11AM 0:00.07 -bash (bash) >root 80532 0.0 0.6 1060 732 p0 S 12:11AM 0:00.20 -su (bash) >[root@zap /etc/ssh]# >__END_SNIP__ >For some reason I don't have fuser on my box...that's another question I >have...WHY? Anyone else missing that one or am I a bastard child To find fuser you have to log in to your solaris box :) Try fstat or sockstat. >there? Possibly machine was compromised. This is what I am trying to find >out. Most likely, the box was compromised. How does the start time of that proces correspond to the boot time of the system? I've seen a machine where the last line of /etc/rc started /usr/bin/getty, which was a small program listening to some odd port... >Judging from the lsof output it looks like it might be a real ssh daemon >but why on earth would the process be called -bash? Why wouldn't it be >called sshd (child of the main process). I am thinking this might be an >openssh thing. I am running a more recent version (I built from ports) >openssh. The reson for calling it "bash" is probably to make it look innocent in ps listings. Does the contents of /proc/189/ give any hints? What does "file" point to? >__SNIP__ >[root@zap /var]# sshd -v >sshd: illegal option -- v >sshd version OpenSSH_3.0.2 >[root@zap /var]# telnet localhost 52323 >Trying ::1... >telnet: connect to address ::1: Connection refused >Trying 127.0.0.1... >Connected to localhost. >Escape character is '^]'. >SSH-1.5-1.2.27 >__END_SNIP__ >So I know that that port leads to some kind of ssh and a very old one at >that :( >I killed my current daemon to see if that killed the rogue ssh daemon and >it didn't. I can kill this daemon manually but that wouldn't help me find >out where its getting kicked off from. I ran a standard find (realizing >that I might have been trojaned, I replaced my current find with a fresh >shiny new copy of find) and I searched for bash. I found nothing but the >usual bash. I tested that bash and it acts completely normal. So, anyone >have any suggestions? I have to have missed something. Just because it acts normal does not mean it hasn't been trojaned :) But my guess is "bash" is not involved at all. $.02, /Mikko -- Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message