ssh-scan
Karl Latiss
karl.latiss at atvert.com.au
Mon May 8 06:18:49 UTC 2006
On Mon, 2006-05-08 at 14:46 +1000, Greg Wiggill wrote:
> Hi All,
> does anyone know anything about ssh-scan ?
>
> 3093 root 15 0 7920 6280 2104 S 0.6 0.6 0:59 0
> sendmail
> 29230 root 15 0 7940 6532 1916 S 0.5 0.6 1:45 1
> sendmail
> 13913 nicole 15 0 504 496 412 S 0.5 0.0 1:07 1
> ssh-scan
> 9110 nicole 15 0 504 496 412 S 0.5 0.0 0:33 0
> ssh-scan
> 1414 root 15 0 368 336 288 D 0.4 0.0 29:52 0
> syslogd
> 13397 root 15 0 9052 8240 1980 S 0.4 0.8 2:40 0
> sendmail
> 14226 nicole 15 0 504 496 412 S 0.4 0.0 0:45 1
> ssh-scan
> 2285 nicole 15 0 504 496 412 S 0.4 0.0 0:36 1
> ssh-scan
> 26936 nicole 15 0 504 496 412 S 0.4 0.0 0:20 0
> ssh-scan
> 27052 nicole 15 0 504 496 412 S 0.4 0.0 0:20 1
> ssh-scan
>
>
> a client of ours spotted this on their ERP application server after
> receiving a huge internet/data bill
>
> server sits behind a corporate firewall, is ssh-scan removable ? any
> options ?
ssh-scan looks suspiciously like someone's managed to install a rootkit.
May be worth scanning with chkrootkit (www.chkrootkit.org) or Rootkit
Hunter (http://www.rootkit.nl/projects/rootkit_hunter.html)
--
Karl Latiss <karl.latiss at atvert.com.au>
Atvert Systems
More information about the redhat-list
mailing list