Suspicious process running under user sshd

Post Reply
somesh
Junior Member
Posts: 2
Joined: 09 Jun 2016, 05:25

Suspicious process running under user sshd

Post by somesh »

Hi,
I have received too many lfd alert mails.I have added the ip(116.31.116.47) in csf.deny but still receiving the alert mails regarding this IP. The mail states as :--

Time: Wed Jun 8 11:01:04 2016 +0100
PID: 26038 (Parent PID:26037)
Account: sshd
Uptime: 95 seconds


Executable:

/usr/local/sbin/sshd


Command Line (often faked in exploits):

sshd: [net]


Network connections by the process (if any):

tcp: 192.168.0.250:22 -> 116.31.116.47:29949


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

7fc8796a5000-7fc8796b1000 r-xp 00000000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8796b1000-7fc8798b1000 ---p 0000c000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8798b1000-7fc8798b2000 r--p 0000c000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8798b2000-7fc8798b3000 rw-p 0000d000 fd:00 1704022 /lib64/libnss_files-2.12.so
7fc8798b3000-7fc8798b5000 r-xp 00000000 fd:00 1704185 /lib64/libfreebl3.so
7fc8798b5000-7fc879ab4000 ---p 00002000 fd:00 1704185 /lib64/libfreebl3.so
7fc879ab4000-7fc879ab5000 r--p 00001000 fd:00 1704185 /lib64/libfreebl3.so
7fc879ab5000-7fc879ab6000 rw-p 00002000 fd:00 1704185 /lib64/libfreebl3.so
7fc879ab6000-7fc879acd000 r-xp 00000000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879acd000-7fc879ccd000 ---p 00017000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879ccd000-7fc879cce000 r--p 00017000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879cce000-7fc879ccf000 rw-p 00018000 fd:00 1704048 /lib64/libpthread-2.12.so
7fc879ccf000-7fc879cd3000 rw-p 00000000 00:00 0
7fc879cd3000-7fc879e5d000 r-xp 00000000 fd:00 1704047 /lib64/libc-2.12.so
7fc879e5d000-7fc87a05d000 ---p 0018a000 fd:00 1704047 /lib64/libc-2.12.so
7fc87a05d000-7fc87a061000 r--p 0018a000 fd:00 1704047 /lib64/libc-2.12.so
7fc87a061000-7fc87a062000 rw-p 0018e000 fd:00 1704047 /lib64/libc-2.12.so
7fc87a062000-7fc87a067000 rw-p 00000000 00:00 0
7fc87a067000-7fc87a07d000 r-xp 00000000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a07d000-7fc87a27d000 ---p 00016000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a27d000-7fc87a27e000 r--p 00016000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a27e000-7fc87a27f000 rw-p 00017000 fd:00 1704003 /lib64/libresolv-2.12.so
7fc87a27f000-7fc87a281000 rw-p 00000000 00:00 0
7fc87a281000-7fc87a288000 r-xp 00000000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a288000-7fc87a488000 ---p 00007000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a488000-7fc87a489000 r--p 00007000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a489000-7fc87a48a000 rw-p 00008000 fd:00 1704274 /lib64/libcrypt-2.12.so
7fc87a48a000-7fc87a4b8000 rw-p 00000000 00:00 0
7fc87a4b8000-7fc87a4ce000 r-xp 00000000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a4ce000-7fc87a6cd000 ---p 00016000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a6cd000-7fc87a6ce000 r--p 00015000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a6ce000-7fc87a6cf000 rw-p 00016000 fd:00 1704161 /lib64/libnsl-2.12.so
7fc87a6cf000-7fc87a6d1000 rw-p 00000000 00:00 0
7fc87a6d1000-7fc87a6e6000 r-xp 00000000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a6e6000-7fc87a8e5000 ---p 00015000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a8e5000-7fc87a8e6000 r--p 00014000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a8e6000-7fc87a8e7000 rw-p 00015000 fd:00 1704052 /lib64/libz.so.1.2.3
7fc87a8e7000-7fc87a8e9000 r-xp 00000000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87a8e9000-7fc87aae8000 ---p 00002000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87aae8000-7fc87aae9000 r--p 00001000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87aae9000-7fc87aaea000 rw-p 00002000 fd:00 1704495 /lib64/libutil-2.12.so
7fc87aaea000-7fc87aaec000 r-xp 00000000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87aaec000-7fc87acec000 ---p 00002000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87acec000-7fc87aced000 r--p 00002000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87aced000-7fc87acee000 rw-p 00003000 fd:00 1704054 /lib64/libdl-2.12.so
7fc87acee000-7fc87acf5000 r-xp 00000000 fd:00 1703941 /lib64/librt-2.12.so
7fc87acf5000-7fc87aef4000 ---p 00007000 fd:00 1703941 /lib64/librt-2.12.so
7fc87aef4000-7fc87aef5000 r--p 00006000 fd:00 1703941 /lib64/librt-2.12.so
7fc87aef5000-7fc87aef6000 rw-p 00007000 fd:00 1703941 /lib64/librt-2.12.so
7fc87aef6000-7fc87b0af000 r-xp 00000000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b0af000-7fc87b2ae000 ---p 001b9000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b2ae000-7fc87b2c9000 r--p 001b8000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b2c9000-7fc87b2d5000 rw-p 001d3000 fd:00 2640275 /usr/lib64/libcrypto.so.1.0.1e
7fc87b2d5000-7fc87b2d9000 rw-p 00000000 00:00 0
7fc87b2d9000-7fc87b2f9000 r-xp 00000000 fd:00 1704041 /lib64/ld-2.12.so
7fc87b395000-7fc87b4d5000 rw-s 00000000 00:04 78816215 /dev/zero (deleted)
7fc87b4d5000-7fc87b4e5000 rw-s 00000000 00:04 78816214 /dev/zero (deleted)
7fc87b4e5000-7fc87b4ec000 rw-p 00000000 00:00 0
7fc87b4f7000-7fc87b4f8000 rw-p 00000000 00:00 0
7fc87b4f8000-7fc87b4f9000 r--p 0001f000 fd:00 1704041 /lib64/ld-2.12.so
7fc87b4f9000-7fc87b4fa000 rw-p 00020000 fd:00 1704041 /lib64/ld-2.12.so
7fc87b4fa000-7fc87b4fb000 rw-p 00000000 00:00 0
7fc87b4fb000-7fc87b5b3000 r-xp 00000000 fd:00 2636805 /usr/local/sbin/sshd
7fc87b7b2000-7fc87b7b5000 r--p 000b7000 fd:00 2636805 /usr/local/sbin/sshd
7fc87b7b5000-7fc87b7b6000 rw-p 000ba000 fd:00 2636805 /usr/local/sbin/sshd
7fc87b7b6000-7fc87b7c0000 rw-p 00000000 00:00 0
7fc87c71a000-7fc87c73b000 rw-p 00000000 00:00 0 [heap]
7fff7bfcb000-7fff7bfe0000 rw-p 00000000 00:00 0 [stack]
7fff7bff7000-7fff7bff8000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

The parent ID and port no in all other lfd mails are changing but the IP(116.31.116.47) is the same.

Kindly help me to resolve the issue.

Regards,
Somesh
Sergio
Junior Member
Posts: 1435
Joined: 12 Dec 2006, 14:56

Re: Suspicious process running under user sshd

Post by Sergio »

Check your CSF.PIGNORE if SSHD is there.

Usually you need to add:
exe:/usr/sbin/sshd
somesh
Junior Member
Posts: 2
Joined: 09 Jun 2016, 05:25

Re: Suspicious process running under user sshd

Post by somesh »

Add the sshd user in csf.pignore list is also not a good option as it will ignore all ssh login alerts.
Sergio
Junior Member
Posts: 1435
Joined: 12 Dec 2006, 14:56

Re: Suspicious process running under user sshd

Post by Sergio »

somesh wrote:Add the sshd user in csf.pignore list is also not a good option as it will ignore all ssh login alerts.
I don't agree with that. In CSF you have:

Send an email alert if anyone logs in successfully using SSH
SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = ON

Also, CSF can block any one that can't login to SSH:

[*]Enable login failure detection of sshd connections
SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = 4 Default: 5 [0-100]
LF_SSHD_PERM = 1 Default: 1 [0-604800]

But the most important is to change your SSH port to something else, as nobody will know what port SSH is using.

Sergio
Post Reply