Weird SSH files in /tmp

0men · 04-02-2011, 09:51 PM

Hey guys,

I was just installing a package and noticed in my /tmp folder a number of ssh-"random string of letters" such as ssh-WHLTm14927.

I have disabled ssh in /etc/rc.d so does this mean someone is logging on through ssh to my machine ? Im not sure if its' suspicious or not. I've never used ssh.

Should i chmod -x /usr/sbin/sshd ??
One thought im having is that the daemon is still running and when i shutdown the machine its somehow crashing ssh and generating the files?? Any thoughs would be great

Thanks heaps guys.

EdGr · 04-02-2011, 09:57 PM

You likely used a program that calls ssh, such as rsync.
Ed

thund3rstruck · 04-03-2011, 09:52 AM

Do a quick audit with netstat:

Code:

$ netstat -nt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.2.101:22        74.125.155.16:46988     ESTABLISHED

Look for a line where there is a LISTENING or ESTABLISHED state on port 22. If 22 is listening then SSH is up and running and if it's ESTABLISHED then there is an active connection to it!

Hope this helps...

cowyn · 04-03-2011, 01:07 PM

Generally, none of SSHD's business.
Possibly you're using SSH-Agent?

Ramurd · 04-03-2011, 03:14 PM

what cowyn said: ssh-agent creates an "mktemp" folder in /tmp, in which there is a socket. These files are not suspicious, but it would be a good idea to have them cleaned up appropriately.

In your shutdown script you can do that like this:

Code:

if [ ! -z "${SSH_AGENT_PID}" ]
then
    ssh-agent -k
fi

That will clean the currently active ssh-agent and folder up.

On the other hand, you can search your startup scripts and see if they start ssh-agent and comment that out.
ssh-agent is a program that helps ssh to provide the public key for password-less logins; ssh-agent --help won't help you, as it will start a new ssh-agent. Instead check out the man page: man ssh-agent.