LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-08-2007, 09:45 AM   #1
sucram2g
Member
 
Registered: Dec 2004
Location: Uganda
Distribution: SuSE
Posts: 36

Rep: Reputation: 15
SSHD or Trojan?


Hi,
I might be having a problem related to sshd. It seems to behave normal, but why would it run using a different program name, I am wondering if this could be some sort of Trojan.

linux:/ # which sshd
/usr/sbin/sshd
linux:/ # file /usr/sbin/sshd
/usr/sbin/sshd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
linux:/ # sshd
linux:/ # netstat -pnlt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 :::22 :::* LISTEN 16513/*!@t
linux:/ # lsof -p 16513
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 16513 root cwd DIR 104,2 4096 2 /
sshd 16513 root rtd DIR 104,2 4096 2 /
sshd 16513 root txt REG 104,2 2079005 522105 /usr/sbin/sshd
sshd 16513 root mem REG 104,2 104484 1009865 /lib/ld-2.3.3.so
sshd 16513 root mem REG 104,2 33263 1009935 /lib/libpam.so.0.77
sshd 16513 root mem REG 104,2 88036 1009877 /lib/libnsl.so.1
sshd 16513 root mem REG 104,2 43632 1009873 /lib/libcrypt.so.1
sshd 16513 root mem REG 104,2 316410 1237922 /lib/libncurses.so.5.4
sshd 16513 root mem REG 104,2 170563 1009892 /lib/tls/libm.so.6
sshd 16513 root mem REG 104,2 10797 1009889 /lib/libutil.so.1
sshd 16513 root mem REG 104,2 1349081 1009891 /lib/tls/libc.so.6
sshd 16513 root mem REG 104,2 13647 1009874 /lib/libdl.so.2
sshd 16513 root mem REG 104,2 32110 1009878 /lib/libnss_compat.so.2
sshd 16513 root mem REG 104,2 40808 1009882 /lib/libnss_nis.so.2
sshd 16513 root mem REG 104,2 41737 1009880 /lib/libnss_files.so.2
sshd 16513 root 0u CHR 1,3 314335 /dev/null
sshd 16513 root 1u CHR 1,3 314335 /dev/null
sshd 16513 root 2u CHR 1,3 314335 /dev/null
sshd 16513 root 3u IPv6 29522534 TCP *:ssh (LISTEN)
sshd 16513 root 4u unix 0xf77beb00 29522536 socket
linux:/ #


//we are using IPv4 on our Network
 
Old 02-08-2007, 11:29 AM   #2
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Blog Entries: 2

Rep: Reputation: 68
it could be a trojan, for sure.
verify the sshd package:
Code:
root@bigslam:~>rpm -qf /usr/sbin/sshd
openssh-4.2p1-18
root@bigslam:~>rpm -qV openssh-4.2p1-18
S.5....T  c /etc/ssh/sshd_config
root@bigslam:~>
The output of rpm -qV only shows lines where the files in the disk differs from the information about the files in the rpm database.
In my case, the only difference is in the file /etc/ssh/sshd_config, a configuration file (c). The time(T), the size size (S), and the md5sum(5) are different, what is normal, because I tweak the default configuration file.
 
Old 02-08-2007, 11:38 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
The details *look* OK, but the name is a bit weird. As Marozsas said you should verify the contents of the sshd package. If in doubt post details. Also see if a checkup should be done. Here's some guidelines on what to look for: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FC4-Starting sshd: Privilege separation user sshd does not exist FAILED kiranherekar Fedora 5 12-29-2005 02:22 PM
Trojan Horse Hugh Jass LinuxQuestions.org Member Intro 4 02-13-2005 09:58 AM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 12:17 PM
Possible Trojan ! FreeFox Linux - General 4 08-03-2003 08:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration