Date: Thu, 20 Dec 2001 08:17:49 -0800 (PST) From: Mikko Tyolajarvi <mikko@dynas.se> To: jconner@enterit.com Cc: questions@freebsd.org Subject: Re: OPENSSH protocol 1 and a strange opened port normal? Message-ID: <200112201617.fBKGHnN12415@mikko.rsa.com> References: <5.1.0.14.0.20011220011620.04716950@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In local.freebsd.questions you write: >G'eve'n folks. May I request some brief assistance from the fellow BSD'ers >out there? >First, the following snippets: >__SNIP__ [...] >tcp4 0 0 *.52323 *.* LISTEN ><-- NOTE should not be opened! >[root@zap /etc/ssh]# lsof | grep TCP | grep 52323 >- -bash 189 root 3u IPv4 0xc8824d80 0t0 TCP *:52323 >(LISTEN) >[root@zap /etc/ssh]# lsof | grep bash >- -bash 189 root cwd VDIR 13,131072 1024 2 / <-- our >culprit...to ** >- -bash 189 root rtd VDIR 13,131072 1024 2 / >- -bash 189 root txt VREG 13,131078 589759 119295 >/usr/local (/dev/da0s1g) It is using a device node as its text file? What is /dev/da0s1g on you machine? >- -bash 189 root txt VREG 13,131077 75152 222278 >/usr/libexec/ld-elf.so.1 >- -bash 189 root txt VREG 13,131077 11712 143265 >/usr/lib/libdescrypt.so.2 >- -bash 189 root txt VREG 13,131077 32736 142934 >/usr/lib/libutil.so.3 >- -bash 189 root txt VREG 13,131077 559196 142943 >/usr/lib/libc.so.4 >- -bash 189 root 0u VCHR 2,2 0t0 7965 /dev/null >- -bash 189 root 1u VCHR 2,2 0t0 7965 /dev/null >- -bash 189 root 2u VCHR 2,2 0t0 7965 /dev/null >- -bash 189 root 3u IPv4 0xc8824d80 0t0 TCP *:52323 >(LISTEN) <-- ** to here [...] >[root@zap /etc/ssh]# ps awuxw | grep bash >root 81009 0.0 0.6 1060 732 p0 R+ 12:52AM 0:00.00 -su (bash) >root 189 0.0 0.5 1212 576 ?? Is 12Dec01 0:02.48 -bash <-- >our culprit >notjames 80501 0.0 0.6 1064 736 p0 Is 12:11AM 0:00.07 -bash (bash) >root 80532 0.0 0.6 1060 732 p0 S 12:11AM 0:00.20 -su (bash) >[root@zap /etc/ssh]# >__END_SNIP__ >For some reason I don't have fuser on my box...that's another question I >have...WHY? Anyone else missing that one or am I a bastard child To find fuser you have to log in to your solaris box :) Try fstat or sockstat. >there? Possibly machine was compromised. This is what I am trying to find >out. Most likely, the box was compromised. How does the start time of that proces correspond to the boot time of the system? I've seen a machine where the last line of /etc/rc started /usr/bin/getty, which was a small program listening to some odd port... >Judging from the lsof output it looks like it might be a real ssh daemon >but why on earth would the process be called -bash? Why wouldn't it be >called sshd (child of the main process). I am thinking this might be an >openssh thing. I am running a more recent version (I built from ports) >openssh. The reson for calling it "bash" is probably to make it look innocent in ps listings. Does the contents of /proc/189/ give any hints? What does "file" point to? >__SNIP__ >[root@zap /var]# sshd -v >sshd: illegal option -- v >sshd version OpenSSH_3.0.2 >[root@zap /var]# telnet localhost 52323 >Trying ::1... >telnet: connect to address ::1: Connection refused >Trying 127.0.0.1... >Connected to localhost. >Escape character is '^]'. >SSH-1.5-1.2.27 >__END_SNIP__ >So I know that that port leads to some kind of ssh and a very old one at >that :( >I killed my current daemon to see if that killed the rogue ssh daemon and >it didn't. I can kill this daemon manually but that wouldn't help me find >out where its getting kicked off from. I ran a standard find (realizing >that I might have been trojaned, I replaced my current find with a fresh >shiny new copy of find) and I searched for bash. I found nothing but the >usual bash. I tested that bash and it acts completely normal. So, anyone >have any suggestions? I have to have missed something. Just because it acts normal does not mean it hasn't been trojaned :) But my guess is "bash" is not involved at all. $.02, /Mikko -- Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112201617.fBKGHnN12415>