ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://forum.configserver.com/

Suspicious process running under user sshd

https://forum.configserver.com/viewtopic.php?t=9560

Page 1 of 1

Suspicious process running under user sshd

Posted: 09 Jun 2016, 05:45
by somesh
Hi,
I have received too many lfd alert mails.I have added the ip(116.31.116.47) in csf.deny but still receiving the alert mails regarding this IP. The mail states as :--

Time: Wed Jun 8 11:01:04 2016 +0100
PID: 26038 (Parent PID:26037)
Account: sshd
Uptime: 95 seconds


Executable:

/usr/local/sbin/sshd


Command Line (often faked in exploits):

sshd: [net]


Network connections by the process (if any):

tcp: 192.168.0.250:22 -> 116.31.116.47:29949


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

7fc8796a5000-7fc8796b1000 r-xp 00000000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8796b1000-7fc8798b1000 ---p 0000c000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8798b1000-7fc8798b2000 r--p 0000c000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8798b2000-7fc8798b3000 rw-p 0000d000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8798b3000-7fc8798b5000 r-xp 00000000 fd:00 1704185 /lib64/libfreebl3.so
7fc8798b5000-7fc879ab4000 ---p 00002000 fd:00 1704185 /lib64/libfreebl3.so
7fc879ab4000-7fc879ab5000 r--p 00001000 fd:00 1704185 /lib64/libfreebl3.so
7fc879ab5000-7fc879ab6000 rw-p 00002000 fd:00 1704185 /lib64/libfreebl3.so
7fc879ab6000-7fc879acd000 r-xp 00000000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879acd000-7fc879ccd000 ---p 00017000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879ccd000-7fc879cce000 r--p 00017000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879cce000-7fc879ccf000 rw-p 00018000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879ccf000-7fc879cd3000 rw-p 00000000 00:00 0
7fc879cd3000-7fc879e5d000 r-xp 00000000 fd:00 1704047 /lib64/libc-2.12.so
7fc879e5d000-7fc87a05d000 ---p 0018a000 fd:00 1704047 /lib64/libc-2.12.so
7fc87a05d000-7fc87a061000 r--p 0018a000 fd:00 1704047 /lib64/libc-2.12.so
7fc87a061000-7fc87a062000 rw-p 0018e000 fd:00 1704047 /lib64/libc-2.12.so
7fc87a062000-7fc87a067000 rw-p 00000000 00:00 0
7fc87a067000-7fc87a07d000 r-xp 00000000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a07d000-7fc87a27d000 ---p 00016000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a27d000-7fc87a27e000 r--p 00016000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a27e000-7fc87a27f000 rw-p 00017000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a27f000-7fc87a281000 rw-p 00000000 00:00 0
7fc87a281000-7fc87a288000 r-xp 00000000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a288000-7fc87a488000 ---p 00007000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a488000-7fc87a489000 r--p 00007000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a489000-7fc87a48a000 rw-p 00008000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a48a000-7fc87a4b8000 rw-p 00000000 00:00 0
7fc87a4b8000-7fc87a4ce000 r-xp 00000000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a4ce000-7fc87a6cd000 ---p 00016000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a6cd000-7fc87a6ce000 r--p 00015000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a6ce000-7fc87a6cf000 rw-p 00016000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a6cf000-7fc87a6d1000 rw-p 00000000 00:00 0
7fc87a6d1000-7fc87a6e6000 r-xp 00000000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a6e6000-7fc87a8e5000 ---p 00015000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a8e5000-7fc87a8e6000 r--p 00014000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a8e6000-7fc87a8e7000 rw-p 00015000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a8e7000-7fc87a8e9000 r-xp 00000000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87a8e9000-7fc87aae8000 ---p 00002000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87aae8000-7fc87aae9000 r--p 00001000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87aae9000-7fc87aaea000 rw-p 00002000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87aaea000-7fc87aaec000 r-xp 00000000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87aaec000-7fc87acec000 ---p 00002000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87acec000-7fc87aced000 r--p 00002000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87aced000-7fc87acee000 rw-p 00003000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87acee000-7fc87acf5000 r-xp 00000000 fd:00 1703941 /lib64/librt-2.12.so
7fc87acf5000-7fc87aef4000 ---p 00007000 fd:00 1703941 /lib64/librt-2.12.so
7fc87aef4000-7fc87aef5000 r--p 00006000 fd:00 1703941 /lib64/librt-2.12.so
7fc87aef5000-7fc87aef6000 rw-p 00007000 fd:00 1703941 /lib64/librt-2.12.so
7fc87aef6000-7fc87b0af000 r-xp 00000000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b0af000-7fc87b2ae000 ---p 001b9000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b2ae000-7fc87b2c9000 r--p 001b8000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b2c9000-7fc87b2d5000 rw-p 001d3000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b2d5000-7fc87b2d9000 rw-p 00000000 00:00 0
7fc87b2d9000-7fc87b2f9000 r-xp 00000000 fd:00 1704041 /lib64/ld-2.12.so
7fc87b395000-7fc87b4d5000 rw-s 00000000 00:04 78816215 /dev/zero (deleted)
7fc87b4d5000-7fc87b4e5000 rw-s 00000000 00:04 78816214 /dev/zero (deleted)
7fc87b4e5000-7fc87b4ec000 rw-p 00000000 00:00 0
7fc87b4f7000-7fc87b4f8000 rw-p 00000000 00:00 0
7fc87b4f8000-7fc87b4f9000 r--p 0001f000 fd:00 1704041 /lib64/ld-2.12.so
7fc87b4f9000-7fc87b4fa000 rw-p 00020000 fd:00 1704041 /lib64/ld-2.12.so
7fc87b4fa000-7fc87b4fb000 rw-p 00000000 00:00 0
7fc87b4fb000-7fc87b5b3000 r-xp 00000000 fd:00 2636805 /usr/local/sbin/sshd
7fc87b7b2000-7fc87b7b5000 r--p 000b7000 fd:00 2636805 /usr/local/sbin/sshd
7fc87b7b5000-7fc87b7b6000 rw-p 000ba000 fd:00 2636805 /usr/local/sbin/sshd
7fc87b7b6000-7fc87b7c0000 rw-p 00000000 00:00 0
7fc87c71a000-7fc87c73b000 rw-p 00000000 00:00 0 [heap]
7fff7bfcb000-7fff7bfe0000 rw-p 00000000 00:00 0 [stack]
7fff7bff7000-7fff7bff8000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

The parent ID and port no in all other lfd mails are changing but the IP(116.31.116.47) is the same.

Kindly help me to resolve the issue.

Regards,
Somesh

Re: Suspicious process running under user sshd

Posted: 13 Jun 2016, 06:43
by Sergio
Check your CSF.PIGNORE if SSHD is there.

Usually you need to add:
exe:/usr/sbin/sshd

Re: Suspicious process running under user sshd

Posted: 13 Jun 2016, 07:48
by somesh
Add the sshd user in csf.pignore list is also not a good option as it will ignore all ssh login alerts.

Re: Suspicious process running under user sshd

Posted: 13 Jun 2016, 14:38
by Sergio
somesh wrote:Add the sshd user in csf.pignore list is also not a good option as it will ignore all ssh login alerts.
I don't agree with that. In CSF you have:

Send an email alert if anyone logs in successfully using SSH
SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = ON

Also, CSF can block any one that can't login to SSH:

[*]Enable login failure detection of sshd connections
SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = 4 Default: 5 [0-100]
LF_SSHD_PERM = 1 Default: 1 [0-604800]

But the most important is to change your SSH port to something else, as nobody will know what port SSH is using.

Sergio
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited