The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tons of SSHD process

Discussion in 'General Discussion' started by benito, Dec 8, 2008.

  1. benito

    benito Well-Known Member

    Joined:
    Jan 8, 2004
    Messages:
    296
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Mar del Plata - Argentina
    Since several days im getting tons of sshd proccesses. How can i kill em all w/o writting "kill pid" for each, and how can i trace who is starting this proccesses?

     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What happens if you use the restart SSH from in WHM? Might want to change the port number in your config first. Save you from having to restart twice.
     
  3. ChrisRHS

    ChrisRHS Well-Known Member

    Joined:
    Jul 12, 2006
    Messages:
    292
    Likes Received:
    5
    Trophy Points:
    18
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I think a bigger question I would have is, "what is this?":

    Code:
    nobody 15198 0.0 0.0 3056 1240 ? S< 07:33 0:00 /bin/sh ./start 70
    nobody 28078 0.0 0.0 3212 1024 ? S< 10:46 0:00 \_ /bin/bash ./a 70.32
    
    Mike
     
  5. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    To me, this looks like a server that is being exploited for a botnet/DoS script/spam/etc - processes can masquerade as others fairly easily.

    Considering that these are running as the user nobody (which is what apache runs as, including PHP scripts if your are running mod_php) and have a suspicious looking parent process, it's probably a malicious script of some type.

    Your best bet is to check the /proc/ directory for the start PID and see what exe symlinks to and see if you can find the source of this issue. I see some serious red flags in this regard that need to be investigated.
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    My thoughts exactly. Good luck with that.

    mike
     
Loading...

Share This Page