On Mon, 2006-05-08 at 14:46 +1000, Greg Wiggill wrote: > Hi All, > does anyone know anything about ssh-scan ? > > 3093 root 15 0 7920 6280 2104 S 0.6 0.6 0:59 0 > sendmail > 29230 root 15 0 7940 6532 1916 S 0.5 0.6 1:45 1 > sendmail > 13913 nicole 15 0 504 496 412 S 0.5 0.0 1:07 1 > ssh-scan > 9110 nicole 15 0 504 496 412 S 0.5 0.0 0:33 0 > ssh-scan > 1414 root 15 0 368 336 288 D 0.4 0.0 29:52 0 > syslogd > 13397 root 15 0 9052 8240 1980 S 0.4 0.8 2:40 0 > sendmail > 14226 nicole 15 0 504 496 412 S 0.4 0.0 0:45 1 > ssh-scan > 2285 nicole 15 0 504 496 412 S 0.4 0.0 0:36 1 > ssh-scan > 26936 nicole 15 0 504 496 412 S 0.4 0.0 0:20 0 > ssh-scan > 27052 nicole 15 0 504 496 412 S 0.4 0.0 0:20 1 > ssh-scan > > > a client of ours spotted this on their ERP application server after > receiving a huge internet/data bill > > server sits behind a corporate firewall, is ssh-scan removable ? any > options ? ssh-scan looks suspiciously like someone's managed to install a rootkit. May be worth scanning with chkrootkit (www.chkrootkit.org) or Rootkit Hunter (http://www.rootkit.nl/projects/rootkit_hunter.html) -- Karl Latiss <karl.latiss@xxxxxxxxxxxxx> Atvert Systems -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
