3

I have a bunch of lines in my machine if I use "ps aux". Here are the lines:

samp      8413  0.0  0.0    968   564 ?        S    12:28   0:00 ./ssh 150
samp      8419  0.0  0.0    956   380 ?        S    12:28   0:00 ./ssh 150
samp      8420  0.0  0.0    956   380 ?        S    12:28   0:00 ./ssh 150
samp      8421  0.0  0.0    956   384 ?        S    12:28   0:00 ./ssh 150
samp      8422  0.0  0.0    956   384 ?        S    12:28   0:00 ./ssh 150
samp      8423  0.0  0.0    956   396 ?        S    12:28   0:00 ./ssh 150
samp      8424  0.0  0.0    956   384 ?        S    12:28   0:00 ./ssh 150

Just a few out of hundreds. I don't know what "./ssh 150" is or what it does, but I know it shouldn't be there. Or am I wrong?

Edit: All my logins are fine under "root". However, under "samp", I have weird lines:

samp     pts/1        quannei.de       Wed Jan 29 07:59 - 08:01  (00:01)
samp     pts/0        go2tech.de       Sat Jan 11 11:24 - 11:24  (00:00)
user1667191
  • 133
  • 4
  • 2
    Well, it looks rather suspicious. Do you see any suspicious logins in your log files? – Renan Jan 29 '14 at 17:36
  • What does lsof -p 8413 give? Or just ls -l /proc/8413/exe ? – derobert Jan 29 '14 at 17:38
  • Renan, I've updated my post. @derobert, sorry I made the mistake of rebooting the system. I'll wait to see if they show up again though. – user1667191 Jan 29 '14 at 17:41
  • Can you give us more details on this machine? Who is this samp user? – derobert Jan 29 '14 at 17:42
  • samp is just an account I created and it runs 2 gameservers under it. – user1667191 Jan 29 '14 at 17:45
  • 2
    I'd suggest looking for files owned by smap, and seeing if you find anything suspicious. But yeah, I'd guess the answer is "yes, compromised". You probably want to remove the network connection. – derobert Jan 29 '14 at 17:47
  • 1
    BTW: Please see http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – derobert Jan 29 '14 at 18:08

1 Answers1

6

This probably isn't a real ssh command:

./ssh 150

Since A) ./ means "in the current working directory", and B) "150" is unlikely to be a valid hostname (I haven't tried a plain number as an /etc/hosts alias however). It looks more like someone has a script/executable called ssh somewhere that does who knows what.

Out of curiousity I did a quick search online for the exact phrase "ssh 150" and look what turned up as the ONLY hit (scroll through the text of the ssh-scan script there)! I'd be mighty suspicious at this point...

goldilocks
  • 87,661
  • 30
  • 204
  • 262