Ad:

Dec 10th, 2008

Hacker on my gateway?

Expand Post »

I'm running fully update Ubuntu 8.04 (as of today).

I did a "users" out of the blue and saw "root shwick shwick" and I only had two ssh sessions open to my gateway.

I checked if there was an additional ssh client running, as that is the only thing that I have exposed on the internet side:

(Toggle Plain Text)

root      6069     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
shwick    6071  6069  0 Dec09 ?        00:00:01 sshd: shwick@pts/0
root     13731     1  0 Dec09 ?        00:00:00 sshd: shwick [priv]
shwick   13734 13731  0 Dec09 ?        00:00:00 sshd: shwick@pts/2
root     14653     1  0 Dec09 ?        00:00:00 /usr/sbin/sshd

Looks like just my two shwick clients.

I get an email whenever someone logs on via ssh, so I checked all those, no suspicious ips. Also grepped auth.* and saw only logins from my ip on the lan.

I installed rkhunter, did a scan and got 0 rootkits found, but got a warning on hidden folders:

(Toggle Plain Text)

   Checking for hidden files and directories       [ Warning ]
[19:57:09] Warning: Hidden directory found: /dev/.static
[19:57:09] Warning: Hidden directory found: /dev/.udev
[19:57:09] Warning: Hidden directory found: /dev/.initramfs

Is there a way to check exactly how the root user is logged in right now, and what it is doing?

I recently installed x11vnc and made a failed startup script for it, could that be doing something?

Thanks.

Similar Threads

Help locking down access to client data from "outside" hacking. in Networking
Domain Security??? in Linux Servers and Apache
Router Security Question... in Networking
how to transfer data with my friend on a LAN in Networking
Errors in My XP Error Log. in Windows NT / 2000 / XP

shwick

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

63 posts
since Oct 2008

Permalink

Dec 13th, 2008

Re: Hacker on my gateway?

From my debian VM:

(Toggle Plain Text)

root      2114     1  0 Nov28 ?        00:00:00 /usr/sbin/sshd
root     32519  2114  0 08:52 ?        00:00:00 sshd: xxxx [priv]
xxxx     32521 32519  0 08:52 ?        00:00:00 sshd: xxxx@pts/0

Stylish

Reputation Points: 44

Solved Threads: 19

Junior Poster

Offline

148 posts
since May 2007

Permalink

Dec 31st, 2008

Re: Hacker on my gateway?

It means the process itself is running as root, which is required for sshd to function properly.

TheOgre

Reputation Points: 128

Solved Threads: 8

Posting Whiz

Offline

390 posts
since Aug 2003

Permalink

Dec 31st, 2008

Re: Hacker on my gateway?

root 14653 1 0 Dec09 ? 00:00:00 /usr/sbin/sshd

That's the sshd process itself, running as root, not root being logged in to an SSH session (notice it's sshd, not ssh@)

man sshd

TheOgre

Reputation Points: 128

Solved Threads: 8

Posting Whiz

Offline

390 posts
since Aug 2003

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Linux Applications and Software Forum Timeline: VNC listen specific interface

Next Thread in Linux Applications and Software Forum Timeline: Extra Squid process?

DaniWeb Message

Cancel Changes

User Name
Password