lfd: Excessive resource usage message

[KirkColvin747]

getting this message once in awhile...

lfd: Excessive resource usage: buster (19281)

Time: Tue Dec 19 19:16:06 2006
Account: buster
Resource: Process Time
Exceeded: 1821 > 1800 (seconds)
Executable: /usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID: 19281
Killed: No

any ideas?

many thanks

 

[wzd]

Hiya Kirk,

I'm getting the same thing on my side:

At first i believed that this may be caused by the client trying to run something on their shell account. I terminated all processes under their account and disabled their shell. This message keeps on coming up though.

Time: Sun Sep 9 06:07:30 2007
Account: corona
Resource: Process Time
Exceeded: 1817 > 1800 (seconds)
Executable: /home/virtfs/corona/usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID: 17188
Killed: No

As far as i can see there is a secure FTP server running under the clients account. Why would this be using excessive resources?

Marko

 

[nyjimbo]

Hiya Kirk,

I'm getting the same thing on my side:

At first i believed that this may be caused by the client trying to run something on their shell account. I terminated all processes under their account and disabled their shell. This message keeps on coming up though.

Time: Sun Sep 9 06:07:30 2007
Account: corona
Resource: Process Time
Exceeded: 1817 > 1800 (seconds)
Executable: /home/virtfs/corona/usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID: 17188
Killed: No

As far as i can see there is a secure FTP server running under the clients account. Why would this be using excessive resources?

Marko

Thats the secure ftp SERVER, which means something is likely uploading or downloading from the persons account. I would look for any logs or try to see if you can find any weird files in the corona account. Not sure how he can tell sftp-server to trigger if he doesnt have ssh, but maybe their is more to this account than you have found so far.

 

[wzd]

The user doesn't have SSH at all but i'm still getting these messages as well:

lfd: SSH login alert for user corona from 196.35.68.144 (isfw.jhb.24-7online.co.za)
Time: Sun Sep 9 05:37:07 2007
IP: 196.35.68.144 (isfw.jhb.24-7online.co.za)
Account: corona
Method: password authentication
-- How is this possible if Shell Access is (disabled) ?


Additionally how could they be running a sftp server process under their account?
Their directory tree seems to be normal as below:


total 68
4 drwx--x--x 10 corona corona 4096 Sep 7 23:08 ./
8 drwx--x--x 114 root root 4096 Sep 8 22:24 ../
0 lrwxrwxrwx 1 corona corona 32 Sep 5 08:19 access-logs -> /usr/local/apache/domlogs/corona/
4 -rw------- 1 corona corona 523 Sep 7 23:58 .bash_history
4 -rw-r--r-- 1 corona corona 24 Sep 5 08:10 .bash_logout
4 -rw-r--r-- 1 corona corona 191 Sep 5 08:10 .bash_profile
4 -rw-r--r-- 1 corona corona 124 Sep 5 08:10 .bashrc
0 -rw-r--r-- 1 corona corona 0 Sep 6 12:40 .contactemail
4 drwxr-xr-x 4 corona corona 4096 Sep 7 19:02 .cpanel/
4 -rw-r--r-- 1 corona corona 16 Sep 7 23:07 .dns
4 -rw-r--r-- 1 corona corona 383 Sep 5 08:10 .emacs
4 drwxr-x--- 3 corona mail 4096 Sep 5 19:38 etc/
4 drwxrwx--- 6 corona mail 4096 Sep 5 19:39 mail/
4 drwxr-xr-x 3 corona corona 4096 Mar 17 01:14 public_ftp/
4 drwxr-x--- 3 corona nobody 4096 Sep 7 23:03 public_html/
4 drwxr-xr-x 2 corona corona 4096 Sep 7 23:09 restore/
4 drwxr-xr-x 7 corona corona 4096 Sep 7 08:42 tmp/
4 drwx------ 2 corona corona 4096 Sep 5 20:06 .trash/
0 lrwxrwxrwx 1 corona corona 11 Sep 5 08:10 www -> public_html/

Any ideas on what this all means?

 

[wzd]

Another message

Here's another extract which brings up other questions:

Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 9 11:11:14 coder sshd[27435]: Accepted password for corona from ::ffff:196.35.68.144 port 1051 ssh2
Sep 9 11:11:21 coder sshd[27467]: subsystem request for sftp

 

[yapluka]

Since a few months, the default cPanel shell gives the users sftp access even when they don't have full shell (or jailshell) access.

 

[maysoft]

LFD WILL report "successful" SSH login into an account even if SSH is not enabled. This is because the way cPanel "disables" SSH. Just try it yourself

 

[wzd]

All in all this is very suspcious as for some reason this just started happening with another users account!

Time: Sun Sep 9 18:33:49 2007
Account: keybaud
Resource: Process Time
Exceeded: 1848 > 1800 (seconds)
Executable: /usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID: 17987
Killed: No


Now another account is saying the same message!!!
I've terminated the old account and now this is coming up. I heavily suspect some foul play.
Rkhunter and chkrootkit are not picking up anything.

Any1 know of any SFTP exploits flying around?

 

[wzd]

Is there any way to prevent SFTP access to the account. It's highly suspicious that an account which is new would start a sftp server and then when this account was terminated another instance of it would be started.

Sep 9 15:29:21 coder su(pam_unix)[29215]: session closed for user root
Sep 9 15:29:24 coder su(pam_unix)[27528]: session closed for user root
Sep 9 15:56:40 coder sshd(pam_unix)[11052]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wbs-41-208-216-159.wbs.co.za user=keybaud
Sep 9 15:56:45 coder sshd(pam_unix)[11070]: session opened for user keybaud by (uid=0)
Sep 9 16:00:18 coder sshd(pam_unix)[11070]: session closed for user keybaud
Sep 9 15:14:43 coder sshd[8780]: Failed password for keybaud from ::ffff:41.208.216.159 port 1133 ssh2
Sep 9 15:15:01 coder sshd[8780]: Accepted password for keybaud from ::ffff:41.208.216.159 port 1133 ssh2
Sep 9 15:15:03 coder sshd[8808]: subsystem request for sftp
Sep 9 15:17:30 coder sshd[8997]: Did not receive identification string from ::ffff:202.75.200.251
Sep 9 15:21:48 coder sshd[9186]: Connection closed by ::ffff:202.75.200.251
Sep 9 15:47:16 coder sshd[10584]: Invalid user corona from ::ffff:196.35.68.144
Sep 9 15:47:16 coder sshd[10585]: input_userauth_request: invalid user corona
Sep 9 15:47:20 coder sshd[10585]: Received disconnect from ::ffff:196.35.68.144: 13: Authentication cancelled by user.
Sep 9 15:56:42 coder sshd[11052]: Failed password for keybaud from ::ffff:41.208.216.159 port 1247 ssh2
Sep 9 15:56:45 coder sshd[11052]: Accepted password for keybaud from ::ffff:41.208.216.159 port 1247 ssh2
Sep 9 15:56:49 coder sshd[11070]: subsystem request for sftp

I have personally now called both the users and they have said that they are not running SFTP in any way - This means this process is being started by something else?

I've also opened up a cpanel ticket as this may be serious.

 

[wzd]

One more reply:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: SSH Communications Security's Secure Shell Server: SFTP
privilege escalation
Date: March 14, 2007
Bugs: #168584
ID: 200703-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Could it be this that is happening? It's quite old though and i'm assuming this would be patched as we run /scripts/upcp weekly

See link: http://www.gentoo.org/security/en/glsa/glsa-200703-13.xml

Seems to be gentoo but we are running CentOS ?