ssh-scan??

[upsforum]

1466 nobody 15 0 45464 16M 3444 S 5.5 3.3 8:04 0 httpd
24658 nobody 15 0 968 512 428 S 1.7 0.1 0:25 0 ssh-scan
24676 nobody 15 0 968 512 428 S 1.7 0.1 0:26 0 ssh-scan
24736 nobody 15 0 968 512 428 S 1.7 0.1 0:24 0 ssh-scan
1996 tomcat 15 0 310M 83M 6328 S 1.5 16.8 160:41 0 jsvc
24567 nobody 15 0 968 512 428 S 1.5 0.1 0:21 0 ssh-scan
24889 nobody 16 0 968 512 428 R 1.5 0.1 0:19 0 ssh-scan
27152 mailnull 16 0 7476 3560 2592 S 1.5 0.6 0:00 0 exim
24637 nobody 15 0 960 504 428 S 1.3 0.0 0:16 0 ssh-scan
24904 nobody 15 0 960 504 428 S 1.3 0.0 0:13 0 ssh-scan
24665 nobody 15 0 968 512 428 S 1.2 0.1 0:27 0 ssh-scan
26001 nobody 15 0 960 504 428 S 1.2 0.0 0:08 0 ssh-scan
21223 nobody 15 0 968 512 428 S 1.0 0.1 0:25 0 ssh-scan
21447 nobody 15 0 968 512 428 S 1.0 0.1 0:23 0 ssh-scan
24543 nobody 15 0 968 512 428 S 1.0 0.1 0:09 0 ssh-scan
26994 nobody 16 0 968 512 428 R 1.0 0.1 0:01 0 ssh-scan
20642 nobody 15 0 968 512 428 R 0.8 0.1 0:30 0 ssh-scan
21112 nobody 16 0 968 512 428 R 0.8 0.1 0:26 0 ssh-scan
21114 nobody 15 0 968 512 428 S 0.8 0.1 0:26 0 ssh-scan
21175 nobody 15 0 968 512 428 S 0.8 0.1 0:35 0 ssh-scan
21203 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
21219 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
21240 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
21299 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
21330 nobody 16 0 968 512 428 R 0.8 0.1 0:25 0 ssh-scan
21467 nobody 15 0 968 512 428 S 0.8 0.1 0:23 0 ssh-scan
21515 nobody 15 0 968 512 428 S 0.8 0.1 0:22 0 ssh-scan
21521 nobody 15 0 968 512 428 S 0.8 0.1 0:22 0 ssh-scan
21525 nobody 15 0 968 512 428 S 0.8 0.1 0:23 0 ssh-scan
21538 nobody 16 0 968 512 428 R 0.8 0.1 0:22 0 ssh-scan
21623 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
21628 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
21639 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
21699 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
22360 nobody 15 0 968 512 428 S 0.8 0.1 0:16 0 ssh-scan
22401 nobody 15 0 968 512 428 S 0.8 0.1 0:16 0 ssh-scan
24002 nobody 15 0 968 512 428 S 0.8 0.1 0:11 0 ssh-scan
26945 nobody 15 0 968 512 428 S 0.8 0.1 0:01 0 ssh-scan
26985 nobody 15 0 968 512 428 S 0.8 0.1 0:01 0 ssh-scan
26990 nobody 15 0 968 512 428 S 0.8 0.1 0:01 0 ssh-scan

that what is SSH-SCAN ??? ... the server is very slow 99% CPU usage

help me!

 

[jayh38]

Ouch, that doesn't look healthy. I would kill that process and find out how its being called for starters. That is a scanning tool by Nessus.

 

[upsforum]

I killed with "killall ssh-scan" but it is newly start, I don't understand why it is restart every 3/6 hours.

 

[rsaylor]

cd /tmp
ls -lha
look for hidden files

cd /
df -h

is /dev/shm 0% used? This normally should be, could be hidden files there also.

Looks like it is a local attack, you got a nasty user.

Install phpsuexec, turn that user nobody into somebody. /scripts/easyapache , look for the phpsuexec option. Use #7 to load prev. config

 

[upsforum]

OK,

1) Run /scripts/easyapache
2) I selected #7 (prev config)
3) In menù I select -> phpSuExec support
4) I save new config apache
and recompiled apache

I must correct?

 

[upsforum]

in every virtualhost into httpd.conf I have this directive:

<IfModule mod_php4.c>
php_admin_value open_basedir "/home/username/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir "/home/amsprot/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>

This is secure condition?

 

[ramprage]

That's just open_base which is good to have. Try running my nobody check tool to help you with tracking down the processes. These are shell scripts doing ssh brute force scans against other hosts so I suggest you take immediate action and stop them then further lock down your server so they cant restart again.

 

[upsforum]

with tool nobody_check.sh I get this:

Nobody Check 1.0.2

Tue Sep 26 10:25:21 CEST 2006 on server.upshost.com Server Load: 10:25:21 up 44 days, 19:12, 1 user, load average: 0.41, 0.43, 0.36
Warning: Malicious Nobody Process Found
=========================================


SCAN SUMMARY
========================================

Clean Processes: 21
DETECTED Malicious Processes: 3


DETECTION DETAILS
========================================

DETECTION: Process 31122 with name sh and path /bin/bash DETECTION: Process 31121 with name 2727 and path /usr/local/apache/proxy/fra/bind/2727 DETECTION: Process 31060 with name 2727 and path /usr/local/apache/proxy/fra/bind/2727

Server Admin action is required immediately.

Generated by WebHostGear.com Nobody Check

 

[jayh38]

You obviously have someone using your system via proxy. You should have no users in the proxy directory under normal circumstances.

Track the process to see everything they are using for starters

lsof -p 31122 or whatever it currently is at this time.

In your proxy directory, you have a user installed as /fra/bind/2727
You would need to delete that user and investigate how they are
installing the account.

Grep your logs and search to see what was run to create anything about
that user and directory for starters.

Do you atleast have a firewall installed?