Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Tons of SSHD process

Discussion in 'General Discussion' started by benito, Dec 8, 2008.

  1. benito

    benito Well-Known Member

    Joined:
    Jan 8, 2004
    Messages:
    324
    Likes Received:
    4
    Trophy Points:
    168
    Location:
    Mar del Plata - Argentina
    Since several days im getting tons of sshd proccesses. How can i kill em all w/o writting "kill pid" for each, and how can i trace who is starting this proccesses?

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,585
    Likes Received:
    439
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What happens if you use the restart SSH from in WHM? Might want to change the port number in your config first. Save you from having to restart twice.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ChrisRHS

    ChrisRHS Well-Known Member

    Joined:
    Jul 12, 2006
    Messages:
    292
    Likes Received:
    5
    Trophy Points:
    168
    killall sshd - should work.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,348
    Likes Received:
    60
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I think a bigger question I would have is, "what is this?":

    Code:
    nobody 15198 0.0 0.0 3056 1240 ? S< 07:33 0:00 /bin/sh ./start 70
    nobody 28078 0.0 0.0 3212 1024 ? S< 10:46 0:00 \_ /bin/bash ./a 70.32
    
    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. MattDees

    MattDees Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    416
    Likes Received:
    1
    Trophy Points:
    243
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    To me, this looks like a server that is being exploited for a botnet/DoS script/spam/etc - processes can masquerade as others fairly easily.

    Considering that these are running as the user nobody (which is what apache runs as, including PHP scripts if your are running mod_php) and have a suspicious looking parent process, it's probably a malicious script of some type.

    Your best bet is to check the /proc/ directory for the start PID and see what exe symlinks to and see if you can find the source of this issue. I see some serious red flags in this regard that need to be investigated.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,348
    Likes Received:
    60
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    My thoughts exactly. Good luck with that.

    mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice