Find the answer to your Linux question:
Results 1 to 6 of 6
Hi I'm concerned by some readouts I'm seeing. I'm using ps , and webmin, and they are showing some processs running, ?} which I do not recognize, I've attempted to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2007
    Posts
    3

    What is ?}


    Hi

    I'm concerned by some readouts I'm seeing. I'm using ps , and webmin, and they are showing some processs running, ?} which I do not recognize, I've attempted to locate it, but to no avail.
    Google has not revealed anything helpful either.

    The only thing that I seem to be able to link it over to is sshd as ssh connections are killed if I kill the main process.

    But, the etc sshd script seems ok to me, and the executables look ok as well,

    [root@dns1 ~]# ls -la /usr/sbin/sshd
    -rwxr-xr-x 1 root root 2139899 Aug 22 21:30 /usr/sbin/sshd
    [root@dns1 ~]# ls -la /usr/local/sbin/sshd
    lrwxrwxrwx 1 root root 5 Aug 22 21:29 /usr/local/sbin/sshd -> s shd2
    [root@dns1 ~]# ls -la /usr/local/sbin/sshd
    lrwxrwxrwx 1 root root 5 Aug 22 21:29 /usr/local/sbin/sshd -> sshd2
    [root@dns1 ~]# ls -la /usr/local/sbin/sshd2
    -rwxr-xr-x 1 root root 2134143 Aug 22 21:29 /usr/local/sbin/sshd2

    ps -aux
    root 2769 0.0 0.5 3180 1296 ? S 18:22 0:00 ?}
    root 2803 0.0 0.7 3360 1804 ? S 18:22 0:00 ?}

    Has anyone ever came across these conditions or know why sshd (assuming it is that) shows up like that?

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    I share in your concern. But then I'm pretty paranoid.

    Use lsof to show the files those PIDs have open. That may be good for some clues. Run:

    # lsof -p 2769

    and

    # lsof -p 2803

    What's the output??

    [ note: You're going to need to use whatever PIDs are showing up with that strange process name. Don't just copy my commands verbatim if the PIDs have changed. ]

  3. #3
    Just Joined!
    Join Date
    Sep 2007
    Posts
    3
    Hi there,
    Still same process id.

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    sshd 2769 root cwd DIR 3,2 4096 2 /
    sshd 2769 root rtd DIR 3,2 4096 2 /
    sshd 2769 root txt REG 3,2 2139899 4135924 /usr/sbin/sshd
    sshd 2769 root mem REG 3,2 112236 2965515 /lib/ld-2.3.6.so
    sshd 2769 root mem REG 3,2 1525032 2965524 /lib/tls/libc-2.3.6.so
    sshd 2769 root mem REG 3,2 213992 2965560 /lib/tls/libm-2.3.6.so
    sshd 2769 root mem REG 3,2 16800 2965555 /lib/libdl-2.3.6.so
    sshd 2769 root mem REG 3,2 29408 2965692 /lib/libpam.so.0.77
    sshd 2769 root mem REG 3,2 12592 2965783 /lib/libtermcap.so.2.0.8
    sshd 2769 root mem REG 3,2 28544 2965717 /lib/libcrypt-2.3.6.so
    sshd 2769 root mem REG 3,2 879961 4130108 /usr/lib/libncurses.so.5.4
    sshd 2769 root mem REG 3,2 97516 2965598 /lib/libnsl-2.3.6.so
    sshd 2769 root mem REG 3,2 15916 2965724 /lib/libutil-2.3.6.so
    sshd 2769 root mem REG 0,0 0 [heap] (stat: No such file or directory)
    sshd 2769 root mem REG 3,2 47380 2965737 /lib/libnss_files-2.3.6.so
    sshd 2769 root 0u CHR 1,3 1977 /dev/null
    sshd 2769 root 1u CHR 1,3 1977 /dev/null
    sshd 2769 root 2u CHR 1,3 1977 /dev/null
    sshd 2769 root 3u IPv6 7180112 TCP *:ssh (LISTEN)
    sshd 2769 root 4u unix 0xccd22280 7180114 socket

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    sshd 2803 root cwd DIR 3,2 4096 2 /
    sshd 2803 root rtd DIR 3,2 4096 2 /
    sshd 2803 root txt REG 3,2 2139899 4135924 /usr/sbin/sshd
    sshd 2803 root mem REG 3,2 112236 2965515 /lib/ld-2.3.6.so
    sshd 2803 root mem REG 3,2 1525032 2965524 /lib/tls/libc-2.3.6.so
    sshd 2803 root mem REG 3,2 213992 2965560 /lib/tls/libm-2.3.6.so
    sshd 2803 root mem REG 3,2 16800 2965555 /lib/libdl-2.3.6.so
    sshd 2803 root mem REG 3,2 29408 2965692 /lib/libpam.so.0.77
    sshd 2803 root mem REG 3,2 12592 2965783 /lib/libtermcap.so.2.0.8
    sshd 2803 root mem REG 3,2 28544 2965717 /lib/libcrypt-2.3.6.so
    sshd 2803 root mem REG 3,2 81184 2965595 /lib/libresolv-2.3.6.so
    sshd 2803 root mem REG 3,2 879961 4130108 /usr/lib/libncurses.so.5.4
    sshd 2803 root mem REG 3,2 97516 2965598 /lib/libnsl-2.3.6.so
    sshd 2803 root mem REG 3,2 15916 2965724 /lib/libutil-2.3.6.so
    sshd 2803 root mem REG 0,0 0 [heap] (stat: No such file or directory)
    sshd 2803 root mem REG 3,2 22584 2965734 /lib/libnss_dns-2.3.6.so
    sshd 2803 root mem REG 3,2 47380 2965737 /lib/libnss_files-2.3.6.so
    sshd 2803 root 0u CHR 1,3 1977 /dev/null
    sshd 2803 root 1u CHR 1,3 1977 /dev/null
    sshd 2803 root 2u CHR 1,3 1977 /dev/null
    sshd 2803 root 3u CHR 5,2 574 /dev/ptmx
    sshd 2803 root 4u unix 0xccd22280 7180114 socket
    sshd 2803 root 5u IPv6 7180256 TCP dns2.psygonsoft.net:ssh->psygonsoft.plus.com:2489 (ESTABLISHED)

    dns2.psygonsoft.net would be the machine's host name, psygonsoft.plus.com would be my ISP's issued hostname for my connection here.

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The first looks an awful lot like the listening sshd daemon process, and the second looks an awful lot like the process associated with your established ssh session.

    I don't know what to recommend. I find it very strange that the process name is showing up that way. Maybe if you could give some more context (did it begin occurring after an upgrade or some other possibly related change?) it will be more clear about how to proceed.

  5. #5
    Just Joined!
    Join Date
    Sep 2007
    Posts
    3
    Hi,

    Someone had managed to find a password for a plain user and uploaded a brute force script for access to remote systems, but having had a look at the script it did not appear to be directed at the server itsself.

    I removed that from the system, and rebooted. I also removed the un-used user. I've had no further complaints issued against the server, so I'm guessing that there's no further outwards bounds attack script. As far as I can see ssh seems to be working ok, but admitedly I'm not expert.

    I just logged in as a non root user, and the process is showing up as ?, but still the same id.

    I also do not know if this has occured in relation to this breach or if its been prior to it (unfortunately I've not paid excessive attention to what's running) but have used ps before and never seen anything like that before.

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    If I'm understanding you correctly, it sounds like the server was compromised at least in some form then.

    If it were me I would rebuild the server from scratch. Make sure you plug the hole that let the compromise occur.

    Not a popular answer, but if you're interested in safety it is the right approach.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •