LinuxQuestions.org - Something strange(?) Going on with the sshd

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Something strange(?) Going on with the sshd (https://www.linuxquestions.org/questions/linux-software-2/something-strange-going-on-with-the-sshd-337289/)

Something strange(?) Going on with the sshd

Whilst tootling about, I've noticed that apparently I have 3 ssh sessions opened to my server:

Code:

 [root@moop home]# who

fred      pts/2        Jun 26 14:07 (blah.com)

fred      pts/4        Jun 26 01:30 (blah.com)

fred      pts/6        Jun 20 14:06 (blah.com)

Now, running a ps command doesnt give me 3 seperate entries:

Code:

 [root@moop home]# ps aux|grep sshd

root    19955  0.0  0.0  5380 1416 ?        S    14:07  0:00 /usr/sbin/sshd

root    19966  0.0  0.0  9044 2056 ?        S    14:07  0:00 sshd: fred [priv]

fred      19984  0.0  0.0  9044 2248 ?        S    14:07  0:00 sshd: fred@pts/2

root    20150  0.0  0.0  4968  612 pts/2    S    14:10  0:00 grep sshd

The who command tells me that apparently I'm connected 3 times to the server(!?!) - yet I know for sure I only have 1 ssh session open. Yet ps is only showing the one entry " fred@pts/2 " what about the alledged other 2?

For the life of me, I really don't see what/how/why this has happened :( I have restarted the sshd, but surely doing this would terminate all connections over ssh..

So, what / where am I screwing up :)

Thanks!

I can't remember what the reason is for it looking like that but it's pretty much the same on this box.

Code:

[root@sony ~]# who

root    :0          Jun 27 12:27

root    pts/1        Jun 27 12:27

root    pts/2        Jun 27 19:29

[root@sony ~]# ps aux|grep sshd

root      1889  0.0  0.4  4392  1720 ?        Ss  12:27  0:00 /usr/sbin/sshd

root    10747  0.0  0.1  3756  684 pts/2    R+  19:30  0:00 grep sshd

If you want to run chkrootkit, don't forget to close out firefox first or you'll get a little scare. :)

Hi homey,

I ran chkrootkit, and I have an entry popping up, which is running on the same port as usermin. I'm looking into this - I believe it's just a false positive from what I've so far gathered (you cant login as root via usermin, and those users who have access to it, cant even use ssh - though clearly if there's something amiss it needs to be fixed).

Code:

Checking `bindshell'... INFECTED (PORTS: xxxxx)

Quote:

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

Usermin is bound to one of those ports.. Time to move it I guess.

Thanks homey, chkrootkit is one of those programs that having been used once, I dont think I'll be able to go without again.. Though I'd still like to get to the bottom of why I have 3 "me's" listed from a who, yet only being connected once. Even though chkroot is saying nothing is compromised (I hope..) It's just bang-out-of-order that a who command whould give seemingly false information - it leaves the whole but maybe the box is compromised debate open.