Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-08-2007, 09:45 AM
|
#1
|
Member
Registered: Dec 2004
Location: Uganda
Distribution: SuSE
Posts: 36
Rep:
|
SSHD or Trojan?
Hi,
I might be having a problem related to sshd. It seems to behave normal, but why would it run using a different program name, I am wondering if this could be some sort of Trojan.
linux:/ # which sshd
/usr/sbin/sshd
linux:/ # file /usr/sbin/sshd
/usr/sbin/sshd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
linux:/ # sshd
linux:/ # netstat -pnlt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 :::22 :::* LISTEN 16513/*!@t
linux:/ # lsof -p 16513
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 16513 root cwd DIR 104,2 4096 2 /
sshd 16513 root rtd DIR 104,2 4096 2 /
sshd 16513 root txt REG 104,2 2079005 522105 /usr/sbin/sshd
sshd 16513 root mem REG 104,2 104484 1009865 /lib/ld-2.3.3.so
sshd 16513 root mem REG 104,2 33263 1009935 /lib/libpam.so.0.77
sshd 16513 root mem REG 104,2 88036 1009877 /lib/libnsl.so.1
sshd 16513 root mem REG 104,2 43632 1009873 /lib/libcrypt.so.1
sshd 16513 root mem REG 104,2 316410 1237922 /lib/libncurses.so.5.4
sshd 16513 root mem REG 104,2 170563 1009892 /lib/tls/libm.so.6
sshd 16513 root mem REG 104,2 10797 1009889 /lib/libutil.so.1
sshd 16513 root mem REG 104,2 1349081 1009891 /lib/tls/libc.so.6
sshd 16513 root mem REG 104,2 13647 1009874 /lib/libdl.so.2
sshd 16513 root mem REG 104,2 32110 1009878 /lib/libnss_compat.so.2
sshd 16513 root mem REG 104,2 40808 1009882 /lib/libnss_nis.so.2
sshd 16513 root mem REG 104,2 41737 1009880 /lib/libnss_files.so.2
sshd 16513 root 0u CHR 1,3 314335 /dev/null
sshd 16513 root 1u CHR 1,3 314335 /dev/null
sshd 16513 root 2u CHR 1,3 314335 /dev/null
sshd 16513 root 3u IPv6 29522534 TCP *:ssh (LISTEN)
sshd 16513 root 4u unix 0xf77beb00 29522536 socket
linux:/ #
//we are using IPv4 on our Network
|
|
|
02-08-2007, 11:29 AM
|
#2
|
Senior Member
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,508
Rep:
|
it could be a trojan, for sure.
verify the sshd package:
Code:
root@bigslam:~>rpm -qf /usr/sbin/sshd
openssh-4.2p1-18
root@bigslam:~>rpm -qV openssh-4.2p1-18
S.5....T c /etc/ssh/sshd_config
root@bigslam:~>
The output of rpm -qV only shows lines where the files in the disk differs from the information about the files in the rpm database.
In my case, the only difference is in the file /etc/ssh/sshd_config, a configuration file (c). The time(T), the size size (S), and the md5sum(5) are different, what is normal, because I tweak the default configuration file.
|
|
|
02-08-2007, 11:38 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
The details *look* OK, but the name is a bit weird. As Marozsas said you should verify the contents of the sshd package. If in doubt post details. Also see if a checkup should be done. Here's some guidelines on what to look for: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
|
|
|
All times are GMT -5. The time now is 03:54 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|