The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ssh-scan??

Discussion in 'General Discussion' started by upsforum, Sep 22, 2006.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    1466 nobody 15 0 45464 16M 3444 S 5.5 3.3 8:04 0 httpd
    24658 nobody 15 0 968 512 428 S 1.7 0.1 0:25 0 ssh-scan
    24676 nobody 15 0 968 512 428 S 1.7 0.1 0:26 0 ssh-scan
    24736 nobody 15 0 968 512 428 S 1.7 0.1 0:24 0 ssh-scan
    1996 tomcat 15 0 310M 83M 6328 S 1.5 16.8 160:41 0 jsvc
    24567 nobody 15 0 968 512 428 S 1.5 0.1 0:21 0 ssh-scan
    24889 nobody 16 0 968 512 428 R 1.5 0.1 0:19 0 ssh-scan
    27152 mailnull 16 0 7476 3560 2592 S 1.5 0.6 0:00 0 exim
    24637 nobody 15 0 960 504 428 S 1.3 0.0 0:16 0 ssh-scan
    24904 nobody 15 0 960 504 428 S 1.3 0.0 0:13 0 ssh-scan
    24665 nobody 15 0 968 512 428 S 1.2 0.1 0:27 0 ssh-scan
    26001 nobody 15 0 960 504 428 S 1.2 0.0 0:08 0 ssh-scan
    21223 nobody 15 0 968 512 428 S 1.0 0.1 0:25 0 ssh-scan
    21447 nobody 15 0 968 512 428 S 1.0 0.1 0:23 0 ssh-scan
    24543 nobody 15 0 968 512 428 S 1.0 0.1 0:09 0 ssh-scan
    26994 nobody 16 0 968 512 428 R 1.0 0.1 0:01 0 ssh-scan
    20642 nobody 15 0 968 512 428 R 0.8 0.1 0:30 0 ssh-scan
    21112 nobody 16 0 968 512 428 R 0.8 0.1 0:26 0 ssh-scan
    21114 nobody 15 0 968 512 428 S 0.8 0.1 0:26 0 ssh-scan
    21175 nobody 15 0 968 512 428 S 0.8 0.1 0:35 0 ssh-scan
    21203 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
    21219 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
    21240 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
    21299 nobody 15 0 968 512 428 S 0.8 0.1 0:25 0 ssh-scan
    21330 nobody 16 0 968 512 428 R 0.8 0.1 0:25 0 ssh-scan
    21467 nobody 15 0 968 512 428 S 0.8 0.1 0:23 0 ssh-scan
    21515 nobody 15 0 968 512 428 S 0.8 0.1 0:22 0 ssh-scan
    21521 nobody 15 0 968 512 428 S 0.8 0.1 0:22 0 ssh-scan
    21525 nobody 15 0 968 512 428 S 0.8 0.1 0:23 0 ssh-scan
    21538 nobody 16 0 968 512 428 R 0.8 0.1 0:22 0 ssh-scan
    21623 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
    21628 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
    21639 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
    21699 nobody 15 0 968 512 428 S 0.8 0.1 0:21 0 ssh-scan
    22360 nobody 15 0 968 512 428 S 0.8 0.1 0:16 0 ssh-scan
    22401 nobody 15 0 968 512 428 S 0.8 0.1 0:16 0 ssh-scan
    24002 nobody 15 0 968 512 428 S 0.8 0.1 0:11 0 ssh-scan
    26945 nobody 15 0 968 512 428 S 0.8 0.1 0:01 0 ssh-scan
    26985 nobody 15 0 968 512 428 S 0.8 0.1 0:01 0 ssh-scan
    26990 nobody 15 0 968 512 428 S 0.8 0.1 0:01 0 ssh-scan

    that what is SSH-SCAN ??? ... the server is very slow 99% CPU usage

    help me!
     
  2. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Ouch, that doesn't look healthy. I would kill that process and find out how its being called for starters. That is a scanning tool by Nessus.
     
  3. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    I killed with "killall ssh-scan" but it is newly start, I don't understand why it is restart every 3/6 hours.
     
  4. rsaylor

    rsaylor Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    160
    Likes Received:
    1
    Trophy Points:
    18
    cd /tmp
    ls -lha
    look for hidden files

    cd /
    df -h

    is /dev/shm 0% used? This normally should be, could be hidden files there also.

    Looks like it is a local attack, you got a nasty user.

    Install phpsuexec, turn that user nobody into somebody. /scripts/easyapache , look for the phpsuexec option. Use #7 to load prev. config
     
  5. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    OK,

    1) Run /scripts/easyapache
    2) I selected #7 (prev config)
    3) In menù I select -> phpSuExec support
    4) I save new config apache
    and recompiled apache

    I must correct?
     
  6. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    in every virtualhost into httpd.conf I have this directive:

    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/username/:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    <IfModule mod_php5.c>
    php_admin_value open_basedir "/home/amsprot/:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>

    This is secure condition?
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    That's just open_base which is good to have. Try running my nobody check tool to help you with tracking down the processes. These are shell scripts doing ssh brute force scans against other hosts so I suggest you take immediate action and stop them then further lock down your server so they cant restart again.
     
  8. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    with tool nobody_check.sh I get this:

    Nobody Check 1.0.2

    Tue Sep 26 10:25:21 CEST 2006 on server.upshost.com Server Load: 10:25:21 up 44 days, 19:12, 1 user, load average: 0.41, 0.43, 0.36
    Warning: Malicious Nobody Process Found
    =========================================


    SCAN SUMMARY
    ========================================

    Clean Processes: 21
    DETECTED Malicious Processes: 3


    DETECTION DETAILS
    ========================================

    DETECTION: Process 31122 with name sh and path /bin/bash DETECTION: Process 31121 with name 2727 and path /usr/local/apache/proxy/fra/bind/2727 DETECTION: Process 31060 with name 2727 and path /usr/local/apache/proxy/fra/bind/2727

    Server Admin action is required immediately.

    Generated by WebHostGear.com Nobody Check
     
  9. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    You obviously have someone using your system via proxy. You should have no users in the proxy directory under normal circumstances.

    Track the process to see everything they are using for starters

    lsof -p 31122 or whatever it currently is at this time.

    In your proxy directory, you have a user installed as /fra/bind/2727
    You would need to delete that user and investigate how they are
    installing the account.

    Grep your logs and search to see what was run to create anything about
    that user and directory for starters.

    Do you atleast have a firewall installed?
     
Loading...

Share This Page