LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 06-26-2005, 09:21 AM   #1
whatnoname
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Rep: Reputation: 0
Something strange(?) Going on with the sshd


Whilst tootling about, I've noticed that apparently I have 3 ssh sessions opened to my server:
Code:
 [root@moop home]# who
fred      pts/2        Jun 26 14:07 (blah.com)
fred      pts/4        Jun 26 01:30 (blah.com)
fred      pts/6        Jun 20 14:06 (blah.com)
Now, running a ps command doesnt give me 3 seperate entries:
Code:
 [root@moop home]# ps aux|grep sshd
root     19955  0.0  0.0  5380 1416 ?        S    14:07   0:00 /usr/sbin/sshd
root     19966  0.0  0.0  9044 2056 ?        S    14:07   0:00 sshd: fred [priv]
fred      19984  0.0  0.0  9044 2248 ?        S    14:07   0:00 sshd: fred@pts/2
root     20150  0.0  0.0  4968  612 pts/2    S    14:10   0:00 grep sshd
The who command tells me that apparently I'm connected 3 times to the server(!?!) - yet I know for sure I only have 1 ssh session open. Yet ps is only showing the one entry " fred@pts/2 " what about the alledged other 2?

For the life of me, I really don't see what/how/why this has happened I have restarted the sshd, but surely doing this would terminate all connections over ssh..

So, what / where am I screwing up

Thanks!
 
Old 06-27-2005, 07:33 PM   #2
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 56
I can't remember what the reason is for it looking like that but it's pretty much the same on this box.
Code:
[root@sony ~]# who
root     :0           Jun 27 12:27
root     pts/1        Jun 27 12:27
root     pts/2        Jun 27 19:29
[root@sony ~]# ps aux|grep sshd
root      1889  0.0  0.4   4392  1720 ?        Ss   12:27   0:00 /usr/sbin/sshd
root     10747  0.0  0.1   3756   684 pts/2    R+   19:30   0:00 grep sshd
If you want to run chkrootkit, don't forget to close out firefox first or you'll get a little scare.
 
Old 06-27-2005, 11:31 PM   #3
whatnoname
LQ Newbie
 
Registered: Jun 2005
Posts: 7

Original Poster
Rep: Reputation: 0
Hi homey,

I ran chkrootkit, and I have an entry popping up, which is running on the same port as usermin. I'm looking into this - I believe it's just a false positive from what I've so far gathered (you cant login as root via usermin, and those users who have access to it, cant even use ssh - though clearly if there's something amiss it needs to be fixed).

Code:
Checking `bindshell'... INFECTED (PORTS:  xxxxx)
Quote:
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
Usermin is bound to one of those ports.. Time to move it I guess.

Thanks homey, chkrootkit is one of those programs that having been used once, I dont think I'll be able to go without again.. Though I'd still like to get to the bottom of why I have 3 "me's" listed from a who, yet only being connected once. Even though chkroot is saying nothing is compromised (I hope..) It's just bang-out-of-order that a who command whould give seemingly false information - it leaves the whole but maybe the box is compromised debate open.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
strange, strange alsa problem: sound is grainy/pixellated? fenderman11111 Linux - Software 1 11-01-2004 06:16 PM
Sound Issues with XMMS/ mpg123 strange (strange noises) thegreatbob Linux - Software 0 06-25-2004 04:18 PM
Help sshd kicken Linux - Networking 2 05-25-2004 08:15 AM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 01:17 PM
strange sshd syslog message dunkyb Linux - General 1 12-30-2002 09:49 AM


All times are GMT -5. The time now is 02:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration