Home Forums OS X Server and Client Discussion Questions and Answers Attack of the killer sshd’s

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • October 4, 2005 at 1:40 pm #363467
    Anonymous
    Guest

    last night i noticed a server was having troubles. it had over a dozen sshd -i’s running with only one user logged in.

    killing them off, and they come back:

    root 22273 1.0 0.0 28112 332 p0 U+ 8:42AM 0:00.00 grep ssh
    rewl 18645 0.1 0.0 30624 276 ?? S 11:50PM 0:01.18 /usr/sbin/sshd -i
    root 18631 0.0 0.1 30696 484 ?? S 11:50PM 0:00.15 /usr/sbin/sshd -i
    root 19908 0.0 0.1 30696 1072 ?? S 12:17AM 0:00.13 /usr/sbin/sshd -i
    rewl 19911 0.0 0.1 30624 528 ?? S 12:17AM 0:00.81 /usr/sbin/sshd -i
    root 20272 0.0 0.1 30696 1076 ?? S 1:21AM 0:00.11 /usr/sbin/sshd -i
    rewl 20274 0.0 0.1 30624 528 ?? S 1:21AM 0:00.64 /usr/sbin/sshd -i
    root 20582 0.0 0.1 30696 1076 ?? S 2:24AM 0:00.11 /usr/sbin/sshd -i
    rewl 20584 0.0 0.1 30624 532 ?? S 2:24AM 0:00.54 /usr/sbin/sshd -i
    root 20932 0.0 0.1 30696 1076 ?? S 3:27AM 0:00.11 /usr/sbin/sshd -i
    root 21194 0.0 0.1 30696 1080 ?? S 4:30AM 0:00.11 /usr/sbin/sshd -i
    rewl 21196 0.0 0.1 30624 528 ?? S 4:30AM 0:00.37 /usr/sbin/sshd -i
    root 21470 0.0 0.1 30696 1076 ?? S 5:33AM 0:00.11 /usr/sbin/sshd -i
    rewl 21472 0.0 0.1 30624 528 ?? S 5:33AM 0:00.29 /usr/sbin/sshd -i
    root 21718 0.0 0.1 30696 1080 ?? S 6:36AM 0:00.11 /usr/sbin/sshd -i
    rewl 21720 0.0 0.1 30624 528 ?? S 6:36AM 0:00.21 /usr/sbin/sshd -i
    root 22006 0.0 0.1 30696 1080 ?? S 7:39AM 0:00.11 /usr/sbin/sshd -i
    rewl 22008 0.0 0.1 30624 528 ?? S 7:39AM 0:00.12 /usr/sbin/sshd -i
    root 22266 0.0 0.1 30696 1136 ?? S 8:42AM 0:00.11 /usr/sbin/sshd -i
    rewl 22268 0.0 0.1 30624 516 ?? S 8:42AM 0:00.03 /usr/sbin/sshd -i
    rewl 20934 0.0 0.1 30624 528 ?? S 3:27AM 0:00.46 /usr/sbin/sshd -i

    I’m at a loss as to why these are popping up all over the place. There is very little clue, though I did catch “launchproxy” starting one up this morning.

    I have enabled process accounting in an attempt to find out wtf is going on. What is odd is that half of them are owned by me (lusername: rewl).

    Note: in spite of these daemons running, I was only logged into the machine — once and sometimes twice. There was nothing that looked untoward, and last, w, finger, all reported the same: that I’m logged in once or twice but have a dozen sshd’s.

    Any thoughts?

    October 5, 2005 at 5:15 pm #363488
    joeedel
    Participant

    If you feel confortable turn off any programs that startup dring login that may be starting a ssh. Also you can check the sharing prefs pane for remote login and turn it off and lastly check the /etc/hostconfig to make sure the SSHSERVER is off check diections at Here
    (the directions are for 10.1.x but should apply to later versions) then turn each program on 1 at a time, then restart and see what processes run, this should help narrow down whats starting the processes. You could also try to rebuild and install a new version of SSH

    October 5, 2005 at 7:14 pm #363493
    Anonymous
    Guest

    [QUOTE BY= joeedel] If you feel confortable turn off any programs that startup dring login that may be starting a ssh. Also you can check the sharing prefs pane for remote login and turn it off and lastly check the /etc/hostconfig to make sure the SSHSERVER is off check diections at Here
    (the directions are for 10.1.x but should apply to later versions) then turn each program on 1 at a time, then restart and see what processes run, this should help narrow down whats starting the processes. You could also try to rebuild and install a new version of SSH[/QUOTE]

    No no, I want SSH! I use it all the time.

    I found out what host is causing it: my PowerBook!

    root 16178 0.0 0.2 27976 1648 ?? Ss 9:57PM 0:01.19 /usr/bin/ssh -L 9495:192.168.153.34:548 -o StrictHostKeyChecki
    root 16197 0.0 0.2 27976 1648 ?? Ss 11:00PM 0:01.09 /usr/bin/ssh -L 9114:192.168.153.34:548 -o StrictHostKeyCheckiroot 16215 0.0 0.2 27976 1648 ?? Ss 12:03AM 0:01.04 /usr/bin/ssh -L 9432:192.168.153.34:548 -o StrictHostKeyChecki
    root 16233 0.0 0.2 27976 1648 ?? Ss 1:05AM 0:01.02 /usr/bin/ssh -L 9686:192.168.153.34:548 -o StrictHostKeyCheckiroot 16249 0.0 0.2 27976 1648 ?? Ss 2:08AM 0:00.95 /usr/bin/ssh -L 9672:192.168.153.34:548 -o StrictHostKeyChecki

    These are the processes on my PowerBook. Clearly they are for doing AFP mounts over SSH – the port 548 is the clue of course Wink I have unchecked “use ssh” from my Go To dialog when connecting to that server, but its persisting for some reason.

    I am using Portable Home Directories, and I suspect that somewhere it is being told I have to mount volumes over SSH, which isn’t working as expected.

    I have a bunch of permissions errors in the Console on that client, saying that it can’t automount things in /Network because of permissions issues.

    Which is odd, because the permissions on the directories (shares) look totally kosher, and they are directly mountable via afp://server/Share\ Name

    Any ideas?

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.