AFP548

Attack of the killer sshd’s

last night i noticed a server was having troubles. it had over a dozen sshd -i's running with only one user logged in.

killing them off, and they come back:

root 22273 1.0 0.0 28112 332 p0 U+ 8:42AM 0:00.00 grep ssh
rewl 18645 0.1 0.0 30624 276 ?? S 11:50PM 0:01.18 /usr/sbin/sshd -i
root 18631 0.0 0.1 30696 484 ?? S 11:50PM 0:00.15 /usr/sbin/sshd -i
root 19908 0.0 0.1 30696 1072 ?? S 12:17AM 0:00.13 /usr/sbin/sshd -i
rewl 19911 0.0 0.1 30624 528 ?? S 12:17AM 0:00.81 /usr/sbin/sshd -i
root 20272 0.0 0.1 30696 1076 ?? S 1:21AM 0:00.11 /usr/sbin/sshd -i
rewl 20274 0.0 0.1 30624 528 ?? S 1:21AM 0:00.64 /usr/sbin/sshd -i
root 20582 0.0 0.1 30696 1076 ?? S 2:24AM 0:00.11 /usr/sbin/sshd -i
rewl 20584 0.0 0.1 30624 532 ?? S 2:24AM 0:00.54 /usr/sbin/sshd -i
root 20932 0.0 0.1 30696 1076 ?? S 3:27AM 0:00.11 /usr/sbin/sshd -i
root 21194 0.0 0.1 30696 1080 ?? S 4:30AM 0:00.11 /usr/sbin/sshd -i
rewl 21196 0.0 0.1 30624 528 ?? S 4:30AM 0:00.37 /usr/sbin/sshd -i
root 21470 0.0 0.1 30696 1076 ?? S 5:33AM 0:00.11 /usr/sbin/sshd -i
rewl 21472 0.0 0.1 30624 528 ?? S 5:33AM 0:00.29 /usr/sbin/sshd -i
root 21718 0.0 0.1 30696 1080 ?? S 6:36AM 0:00.11 /usr/sbin/sshd -i
rewl 21720 0.0 0.1 30624 528 ?? S 6:36AM 0:00.21 /usr/sbin/sshd -i
root 22006 0.0 0.1 30696 1080 ?? S 7:39AM 0:00.11 /usr/sbin/sshd -i
rewl 22008 0.0 0.1 30624 528 ?? S 7:39AM 0:00.12 /usr/sbin/sshd -i
root 22266 0.0 0.1 30696 1136 ?? S 8:42AM 0:00.11 /usr/sbin/sshd -i
rewl 22268 0.0 0.1 30624 516 ?? S 8:42AM 0:00.03 /usr/sbin/sshd -i
rewl 20934 0.0 0.1 30624 528 ?? S 3:27AM 0:00.46 /usr/sbin/sshd -i


I'm at a loss as to why these are popping up all over the place. There is very little clue, though I did catch "launchproxy" starting one up this morning.

I have enabled process accounting in an attempt to find out wtf is going on. What is odd is that half of them are owned by me (lusername: rewl).

Note: in spite of these daemons running, I was only logged into the machine -- once and sometimes twice. There was nothing that looked untoward, and last, w, finger, all reported the same: that I'm logged in once or twice but have a dozen sshd's.

Any thoughts?
Exit mobile version