growing number of stale(?) ssh-agent instances run by root

Asked by Andriy Tymchenko

Today I have noticed I have quite a few ssh-agents hanging in "ps ax" list with Ss status. After few hours I have noticed that their amount grows, so I started to dig bit more. I found that all of them except one (run from my login name) run from root and hang there. Hour ago this line "ps aux | grep ssh-agent | wc -l" gave me 75 (so 73 root-originated), now it shows 85.

So should I start to worry that system is compromised? Or is this a known bug? Or unknown bug?

more info
---
silpol@doggy:~$ uname -a
Linux doggy 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 01:41:57 UTC 2010 i686 GNU/Linux
---
silpol@doggy:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.10
Release: 10.10
Codename: maverick
---
silpol@doggy:~$ apt-cache show openssh-client
Package: openssh-client
Priority: standard
Section: net
Installed-Size: 2056
Maintainer: Colin Watson <email address hidden>
Original-Maintainer: Debian OpenSSH Maintainers <email address hidden>
Architecture: i386
Source: openssh
Version: 1:5.5p1-4ubuntu4
Replaces: ssh, ssh-krb5
Provides: rsh-client, ssh-client
Depends: libc6 (>= 2.11), libedit2 (>= 2.5.cvs.20010821-1), libgssapi-krb5-2 (>= 1.7+dfsg), libssl0.9.8 (>= 0.9.8m-1), zlib1g (>= 1:1.1.4), debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
Recommends: xauth
Suggests: ssh-askpass, libpam-ssh, keychain, openssh-blacklist, openssh-blacklist-extra
Conflicts: rsh-client (<< 0.16.1-1), sftp, ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-7)
Filename: pool/main/o/openssh/openssh-client_5.5p1-4ubuntu4_i386.deb
Size: 841590
MD5sum: a7ac227bb540ba6e96474571f562b973
SHA1: 28aefb8ec1096b215c77583b6d050a9aaf92398d
SHA256: 2d34f2ee7d0a5222f1d5ad37b04d712da349b891d30ec4a006cd6884d3d8a468
Description: secure shell (SSH) client, for secure access to remote machines
 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the ssh, scp and sftp clients, the ssh-agent
 and ssh-add programs to make public key authentication more convenient,
 and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 ssh replaces the insecure rsh, rcp and rlogin programs, which are
 obsolete for most purposes.
Homepage: http://www.openssh.org/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 18m
Task: standard, mythbuntu-backend-master, mythbuntu-backend-slave, mythbuntu-desktop, mythbuntu-frontend
---
silpol@doggy:~$ apt-cache show openssh-server
Package: openssh-server
Priority: optional
Section: net
Installed-Size: 800
Maintainer: Colin Watson <email address hidden>
Original-Maintainer: Debian OpenSSH Maintainers <email address hidden>
Architecture: i386
Source: openssh
Version: 1:5.5p1-4ubuntu4
Replaces: openssh-client (<< 1:3.8.1p1-11), ssh, ssh-import, ssh-krb5
Provides: ssh-server
Depends: libc6 (>= 2.8), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>= 1.8+dfsg), libkrb5-3 (>= 1.6.dfsg.2), libpam0g (>= 0.99.7.1), libselinux1 (>= 1.32), libssl0.9.8 (>= 0.9.8m-1), libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4), debconf (>= 1.2.0) | debconf-2.0, openssh-client (= 1:5.5p1-4ubuntu4), upstart-job, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), lsb-base (>= 3.2-13), procps
Recommends: xauth
Suggests: ssh-askpass, rssh, molly-guard, openssh-blacklist, openssh-blacklist-extra, ufw
Conflicts: rsh-client (<< 0.16.1-1), sftp, ssh (<< 1:3.8.1p1-9), ssh-import, ssh-krb5 (<< 1:4.3p2-7), ssh-nonfree (<< 2), ssh-socks, ssh2
Filename: pool/main/o/openssh/openssh-server_5.5p1-4ubuntu4_i386.deb
Size: 301612
MD5sum: 437478bdf3c8fca47e449df627273c98
SHA1: 89f8aa90ffc201049b05b82e1d8b781434e6f8c4
SHA256: 2a1d7d5d87d1223398a90aa2f2fe2bd9fcebfa238bd5142edf342f3c67c3b11a
Description: secure shell (SSH) server, for secure access from remote machines
 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the sshd server.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 sshd replaces the insecure rshd program, which is obsolete for most
 purposes.
Homepage: http://www.openssh.org/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 18m
Task: eucalyptus-cloud, eucalyptus-cluster, eucalyptus-node, eucalyptus-storage, eucalyptus-walrus, openssh-server, uec, virt-host, mythbuntu-backend-master, mythbuntu-backend-slave, mythbuntu-desktop, mythbuntu-frontend

---
silpol@doggy:~$ dpkg -S ssh-agent
x11-common: /etc/X11/Xsession.d/90x11-common_ssh-agent
openssh-client: /usr/share/man/man1/ssh-agent.1.gz
openssh-client: /usr/bin/ssh-agent

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1

Can you give the output of:

ps -ef | grep -i ssh

Thanks

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) said :
#2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There shouldn't be growing ssh processes :-/

What are those processes? what do originate them, a wrong crontab task
(guessing)?

can you post the results of:

sudo ps aux | grep ssh

and

sudo ps auxf | grep -C5 ssh

On 09/01/11 02:13, Andriy Tymchenko wrote:
> New question #140713 on openssh in ubuntu:
> https://answers.launchpad.net/ubuntu/+source/openssh/+question/140713
>
> Today I have noticed I have quite a few ssh-agents hanging in "ps ax" list with Ss status. After few hours I have noticed that their amount grows, so I started to dig bit more. I found that all of them except one (run from my login name) run from root and hang there. Hour ago this line "ps aux | grep ssh-agent | wc -l" gave me 75 (so 73 root-originated), now it shows 85.
>
> So should I start to worry that system is compromised? Or is this a known bug? Or unknown bug?
>
> more info
> ---
> silpol@doggy:~$ uname -a
> Linux doggy 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 01:41:57 UTC 2010 i686 GNU/Linux
> ---
> silpol@doggy:~$ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description: Ubuntu 10.10
> Release: 10.10
> Codename: maverick
> ---
> silpol@doggy:~$ apt-cache show openssh-client
> Package: openssh-client
> Priority: standard
> Section: net
> Installed-Size: 2056
> Maintainer: Colin Watson <email address hidden>
> Original-Maintainer: Debian OpenSSH Maintainers <email address hidden>
> Architecture: i386
> Source: openssh
> Version: 1:5.5p1-4ubuntu4
> Replaces: ssh, ssh-krb5
> Provides: rsh-client, ssh-client
> Depends: libc6 (>= 2.11), libedit2 (>= 2.5.cvs.20010821-1), libgssapi-krb5-2 (>= 1.7+dfsg), libssl0.9.8 (>= 0.9.8m-1), zlib1g (>= 1:1.1.4), debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
> Recommends: xauth
> Suggests: ssh-askpass, libpam-ssh, keychain, openssh-blacklist, openssh-blacklist-extra
> Conflicts: rsh-client (<< 0.16.1-1), sftp, ssh (<< 1:3.8.1p1-9), ssh-krb5 (<< 1:4.3p2-7)
> Filename: pool/main/o/openssh/openssh-client_5.5p1-4ubuntu4_i386.deb
> Size: 841590
> MD5sum: a7ac227bb540ba6e96474571f562b973
> SHA1: 28aefb8ec1096b215c77583b6d050a9aaf92398d
> SHA256: 2d34f2ee7d0a5222f1d5ad37b04d712da349b891d30ec4a006cd6884d3d8a468
> Description: secure shell (SSH) client, for secure access to remote machines
> This is the portable version of OpenSSH, a free implementation of
> the Secure Shell protocol as specified by the IETF secsh working
> group.
> .
> Ssh (Secure Shell) is a program for logging into a remote machine
> and for executing commands on a remote machine.
> It provides secure encrypted communications between two untrusted
> hosts over an insecure network. X11 connections and arbitrary TCP/IP
> ports can also be forwarded over the secure channel.
> It can be used to provide applications with a secure communication
> channel.
> .
> This package provides the ssh, scp and sftp clients, the ssh-agent
> and ssh-add programs to make public key authentication more convenient,
> and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
> .
> In some countries it may be illegal to use any encryption at all
> without a special permit.
> .
> ssh replaces the insecure rsh, rcp and rlogin programs, which are
> obsolete for most purposes.
> Homepage: http://www.openssh.org/
> Bugs: https://bugs.launchpad.net/ubuntu/+filebug
> Origin: Ubuntu
> Supported: 18m
> Task: standard, mythbuntu-backend-master, mythbuntu-backend-slave, mythbuntu-desktop, mythbuntu-frontend
> ---
> silpol@doggy:~$ apt-cache show openssh-server
> Package: openssh-server
> Priority: optional
> Section: net
> Installed-Size: 800
> Maintainer: Colin Watson <email address hidden>
> Original-Maintainer: Debian OpenSSH Maintainers <email address hidden>
> Architecture: i386
> Source: openssh
> Version: 1:5.5p1-4ubuntu4
> Replaces: openssh-client (<< 1:3.8.1p1-11), ssh, ssh-import, ssh-krb5
> Provides: ssh-server
> Depends: libc6 (>= 2.8), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>= 1.8+dfsg), libkrb5-3 (>= 1.6.dfsg.2), libpam0g (>= 0.99.7.1), libselinux1 (>= 1.32), libssl0.9.8 (>= 0.9.8m-1), libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4), debconf (>= 1.2.0) | debconf-2.0, openssh-client (= 1:5.5p1-4ubuntu4), upstart-job, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), lsb-base (>= 3.2-13), procps
> Recommends: xauth
> Suggests: ssh-askpass, rssh, molly-guard, openssh-blacklist, openssh-blacklist-extra, ufw
> Conflicts: rsh-client (<< 0.16.1-1), sftp, ssh (<< 1:3.8.1p1-9), ssh-import, ssh-krb5 (<< 1:4.3p2-7), ssh-nonfree (<< 2), ssh-socks, ssh2
> Filename: pool/main/o/openssh/openssh-server_5.5p1-4ubuntu4_i386.deb
> Size: 301612
> MD5sum: 437478bdf3c8fca47e449df627273c98
> SHA1: 89f8aa90ffc201049b05b82e1d8b781434e6f8c4
> SHA256: 2a1d7d5d87d1223398a90aa2f2fe2bd9fcebfa238bd5142edf342f3c67c3b11a
> Description: secure shell (SSH) server, for secure access from remote machines
> This is the portable version of OpenSSH, a free implementation of
> the Secure Shell protocol as specified by the IETF secsh working
> group.
> .
> Ssh (Secure Shell) is a program for logging into a remote machine
> and for executing commands on a remote machine.
> It provides secure encrypted communications between two untrusted
> hosts over an insecure network. X11 connections and arbitrary TCP/IP
> ports can also be forwarded over the secure channel.
> It can be used to provide applications with a secure communication
> channel.
> .
> This package provides the sshd server.
> .
> In some countries it may be illegal to use any encryption at all
> without a special permit.
> .
> sshd replaces the insecure rshd program, which is obsolete for most
> purposes.
> Homepage: http://www.openssh.org/
> Bugs: https://bugs.launchpad.net/ubuntu/+filebug
> Origin: Ubuntu
> Supported: 18m
> Task: eucalyptus-cloud, eucalyptus-cluster, eucalyptus-node, eucalyptus-storage, eucalyptus-walrus, openssh-server, uec, virt-host, mythbuntu-backend-master, mythbuntu-backend-slave, mythbuntu-desktop, mythbuntu-frontend
>
> ---
> silpol@doggy:~$ dpkg -S ssh-agent
> x11-common: /etc/X11/Xsession.d/90x11-common_ssh-agent
> openssh-client: /usr/share/man/man1/ssh-agent.1.gz
> openssh-client: /usr/bin/ssh-agent
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0pfNIACgkQk9xSKJO/Y0En9QCfazci6E93tCJsnTUctobGdQ4T
sxkAoJ1dLio6kGTKLC9djUx40BV2lhLS
=4qMG
-----END PGP SIGNATURE-----

Revision history for this message
Andriy Tymchenko (silpol) said :
#3

when I wrote original report, count (see command in original report) had been 85, later in about hour it was 90, but it was 4am or 5am so I went asleep. Now it is just 93 so the growth doesn't seem exactly linear and suspicion on some cron launch is lesser still not zero. I will try to gather all requested above info in next few minutes and also look into cron files but I'm still not clear about origins and need help/answer.

Revision history for this message
Andriy Tymchenko (silpol) said :
#4

just after I wrote comment above it counted up to 95 :-/

Revision history for this message
Andriy Tymchenko (silpol) said :
#5

this is requested by actionparsnip output

silpol@doggy:~$ ps -ef | grep -i ssh
root 4166 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4179 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4496 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4500 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4517 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4521 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4525 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4561 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4565 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4569 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4591 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4633 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4637 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4641 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4645 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4652 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4690 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4695 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4705 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4709 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4722 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4732 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4765 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4769 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4773 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4784 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4816 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4820 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4824 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4828 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4835 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4839 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4881 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4890 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4901 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4936 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 4975 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5018 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5025 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5034 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5043 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5047 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5167 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5171 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5220 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5224 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5766 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5803 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5907 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5925 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5944 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 5948 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6026 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6036 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6095 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6099 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6107 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6140 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6144 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6148 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6157 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6239 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6289 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6293 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6422 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6426 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6463 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6467 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6507 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 6512 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 11814 1 0 Jan08 ? 00:00:00 /usr/sbin/sshd
root 13597 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 13603 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 13688 1 0 Jan08 ? 00:00:00 ssh-agent -s
root 16022 1 0 02:46 ? 00:00:00 ssh-agent -s
root 16026 1 0 02:46 ? 00:00:00 ssh-agent -s
root 16082 1 0 02:46 ? 00:00:00 ssh-agent -s
root 16127 1 0 02:47 ? 00:00:00 ssh-agent -s
root 16355 1 0 02:47 ? 00:00:00 ssh-agent -s
root 16449 1 0 02:48 ? 00:00:00 ssh-agent -s
root 16481 1 0 02:48 ? 00:00:00 ssh-agent -s
root 16485 1 0 02:48 ? 00:00:00 ssh-agent -s
root 16601 1 0 02:49 ? 00:00:00 ssh-agent -s
root 16605 1 0 02:49 ? 00:00:00 ssh-agent -s
root 17548 1 0 03:55 ? 00:00:00 ssh-agent -s
root 17552 1 0 03:55 ? 00:00:00 ssh-agent -s
root 17556 1 0 03:56 ? 00:00:00 ssh-agent -s
root 17560 1 0 03:56 ? 00:00:00 ssh-agent -s
silpol 21493 1 0 11:46 ? 00:00:00 ssh-agent -s
root 21735 1 0 11:46 ? 00:00:00 ssh-agent -s
root 21745 1 0 11:46 ? 00:00:00 ssh-agent -s
root 22048 1 0 11:50 ? 00:00:00 ssh-agent -s
root 22052 1 0 11:50 ? 00:00:00 ssh-agent -s
root 22093 1 0 11:57 ? 00:00:00 ssh-agent -s
root 22097 1 0 11:58 ? 00:00:00 ssh-agent -s
silpol 22135 21755 0 12:01 pts/0 00:00:00 grep -i ssh

Revision history for this message
Andriy Tymchenko (silpol) said :
#6

this is outputs requested by hjmf

---
silpol@doggy:~$ sudo ps aux | grep ssh
root 4166 0.0 0.0 3348 0 ? Ss Jan08 0:00 ssh-agent -s
root 4179 0.0 0.0 3348 0 ? Ss Jan08 0:00 ssh-agent -s
root 4496 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4500 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4517 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4521 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4525 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4561 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4565 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4569 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4591 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4633 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4637 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4641 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4645 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4652 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4690 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4695 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4705 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4709 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4722 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4732 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4765 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4769 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4773 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4784 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4816 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4820 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4824 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4828 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4835 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4839 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4881 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4890 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4901 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4936 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4975 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5018 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5025 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5034 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5043 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5047 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5167 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5171 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5220 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5224 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5766 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5803 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5907 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5925 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5944 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5948 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6026 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6036 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6095 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6099 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6107 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6140 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6144 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6148 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6157 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6239 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6289 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6293 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6422 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6426 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6463 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6467 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6507 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6512 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 11814 0.0 0.0 5632 884 ? Ss Jan08 0:00 /usr/sbin/sshd
root 13597 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 13603 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 13688 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 16022 0.0 0.0 3348 204 ? Ss 02:46 0:00 ssh-agent -s
root 16026 0.0 0.0 3348 200 ? Ss 02:46 0:00 ssh-agent -s
root 16082 0.0 0.0 3348 200 ? Ss 02:46 0:00 ssh-agent -s
root 16127 0.0 0.0 3348 200 ? Ss 02:47 0:00 ssh-agent -s
root 16355 0.0 0.0 3348 196 ? Ss 02:47 0:00 ssh-agent -s
root 16449 0.0 0.0 3348 200 ? Ss 02:48 0:00 ssh-agent -s
root 16481 0.0 0.0 3348 200 ? Ss 02:48 0:00 ssh-agent -s
root 16485 0.0 0.0 3348 196 ? Ss 02:48 0:00 ssh-agent -s
root 16601 0.0 0.0 3348 204 ? Ss 02:49 0:00 ssh-agent -s
root 16605 0.0 0.0 3348 204 ? Ss 02:49 0:00 ssh-agent -s
root 17548 0.0 0.0 3348 200 ? Ss 03:55 0:00 ssh-agent -s
root 17552 0.0 0.0 3348 200 ? Ss 03:55 0:00 ssh-agent -s
root 17556 0.0 0.0 3348 200 ? Ss 03:56 0:00 ssh-agent -s
root 17560 0.0 0.0 3348 200 ? Ss 03:56 0:00 ssh-agent -s
silpol 21493 0.0 0.0 3348 204 ? Ss 11:46 0:00 ssh-agent -s
root 21735 0.0 0.0 3348 200 ? Ss 11:46 0:00 ssh-agent -s
root 21745 0.0 0.0 3348 204 ? Ss 11:46 0:00 ssh-agent -s
root 22048 0.0 0.0 3348 200 ? Ss 11:50 0:00 ssh-agent -s
root 22052 0.0 0.0 3348 204 ? Ss 11:50 0:00 ssh-agent -s
root 22093 0.0 0.0 3348 200 ? Ss 11:57 0:00 ssh-agent -s
root 22097 0.0 0.0 3348 204 ? Ss 11:58 0:00 ssh-agent -s
silpol 22151 0.0 0.0 4012 740 pts/0 S+ 12:03 0:00 grep ssh

---
silpol@doggy:~$ sudo ps auxf | grep -C5 ssh
104 1809 0.0 0.0 2092 672 ? S Jan08 0:00 avahi-autoipd: [eth0] bound 169.254.5.99
root 1810 0.0 0.0 1876 212 ? S Jan08 0:00 \_ avahi-autoipd: [eth0] callout dispatcher
root 1898 0.0 0.0 2292 516 ? Ss Jan08 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
root 1985 0.0 0.1 16144 3008 ? Sl Jan08 0:04 /usr/lib/udisks/udisks-daemon
root 1987 0.0 0.0 5612 528 ? S Jan08 0:23 \_ udisks-daemon: polling /dev/sr0
root 4166 0.0 0.0 3348 0 ? Ss Jan08 0:00 ssh-agent -s
root 4179 0.0 0.0 3348 0 ? Ss Jan08 0:00 ssh-agent -s
root 4496 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4500 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4517 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4521 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4525 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4561 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4565 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4569 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4591 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4633 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4637 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4641 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4645 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4652 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4690 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4695 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4705 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4709 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4722 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4732 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4765 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4769 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4773 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4784 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4816 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4820 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4824 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4828 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4835 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4839 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 4881 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 4890 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4901 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4936 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 4975 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5018 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5025 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5034 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5043 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5047 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5167 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5171 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5220 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5224 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5766 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5803 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 5907 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5925 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 5944 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 5948 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6026 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6036 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6095 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6099 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6107 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6140 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6144 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6148 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6157 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6239 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6289 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6293 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6422 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6426 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6463 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 6467 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6507 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 6512 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 11756 0.0 0.0 2296 252 ? Ss Jan08 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp3/dhclient.eth1.leases eth1
root 11814 0.0 0.0 5632 884 ? Ss Jan08 0:00 /usr/sbin/sshd
root 13597 0.0 0.0 3348 204 ? Ss Jan08 0:00 ssh-agent -s
root 13603 0.0 0.0 3348 200 ? Ss Jan08 0:00 ssh-agent -s
root 13688 0.0 0.0 3348 196 ? Ss Jan08 0:00 ssh-agent -s
root 15407 0.0 0.5 13936 8076 ? S 01:57 0:00 /usr/bin/python /usr/lib/system-service/system-service-d
silpol 15622 0.0 0.2 42328 3332 ? Ssl 02:18 0:00 /usr/lib/bonobo-activation/bonobo-activation-server --ac-activate --ior-output-fd=19
ksamis 15836 0.0 0.2 42196 3208 ? Ssl 02:22 0:00 /usr/lib/bonobo-activation/bonobo-activation-server --ac-activate --ior-output-fd=19
root 16022 0.0 0.0 3348 204 ? Ss 02:46 0:00 ssh-agent -s
root 16026 0.0 0.0 3348 200 ? Ss 02:46 0:00 ssh-agent -s
root 16082 0.0 0.0 3348 200 ? Ss 02:46 0:00 ssh-agent -s
root 16127 0.0 0.0 3348 200 ? Ss 02:47 0:00 ssh-agent -s
root 16355 0.0 0.0 3348 196 ? Ss 02:47 0:00 ssh-agent -s
root 16449 0.0 0.0 3348 200 ? Ss 02:48 0:00 ssh-agent -s
root 16481 0.0 0.0 3348 200 ? Ss 02:48 0:00 ssh-agent -s
root 16485 0.0 0.0 3348 196 ? Ss 02:48 0:00 ssh-agent -s
root 16601 0.0 0.0 3348 204 ? Ss 02:49 0:00 ssh-agent -s
root 16605 0.0 0.0 3348 204 ? Ss 02:49 0:00 ssh-agent -s
root 17548 0.0 0.0 3348 200 ? Ss 03:55 0:00 ssh-agent -s
root 17552 0.0 0.0 3348 200 ? Ss 03:55 0:00 ssh-agent -s
root 17556 0.0 0.0 3348 200 ? Ss 03:56 0:00 ssh-agent -s
root 17560 0.0 0.0 3348 200 ? Ss 03:56 0:00 ssh-agent -s
gdm 21446 0.0 0.0 3456 560 ? S 11:46 0:00 /usr/bin/dbus-launch --exit-with-session
silpol 21493 0.0 0.0 3348 204 ? Ss 11:46 0:00 ssh-agent -s
silpol 21496 0.0 0.1 24980 2516 ? Sl 11:46 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
silpol 21568 0.0 0.0 3456 568 ? S 11:46 0:00 dbus-launch --exit-with-session gnome-session
silpol 21569 0.0 0.1 4496 1772 ? Ss 11:46 0:00 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
silpol 21573 0.2 0.3 9756 4672 ? S 11:46 0:03 /usr/lib/libgconf2-4/gconfd-2
silpol 21585 0.0 0.8 144604 13460 ? Ssl 11:46 0:00 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
--
silpol 21712 0.0 0.1 7360 2052 ? S 11:46 0:00 /usr/lib/gvfs/gvfsd-metadata
silpol 21714 0.0 0.3 26920 4888 ? Sl 11:46 0:00 /usr/lib/indicator-session/indicator-session-service
silpol 21717 0.0 0.3 27992 4836 ? Sl 11:46 0:00 /usr/lib/indicator-me/indicator-me-service
silpol 21721 0.0 0.1 26672 2588 ? Ss 11:46 0:00 gnome-screensaver
silpol 21723 0.0 0.1 7448 2380 ? S 11:46 0:00 /usr/lib/gvfs/gvfsd-burn --spawner :1.11 /org/gtk/gvfs/exec_spaw/1
root 21735 0.0 0.0 3348 200 ? Ss 11:46 0:00 ssh-agent -s
root 21745 0.0 0.0 3348 204 ? Ss 11:46 0:00 ssh-agent -s
silpol 21749 0.0 0.1 13436 2904 ? S 11:46 0:00 /usr/bin/obex-data-server --no-daemon
silpol 21751 0.4 0.9 93740 14488 ? Sl 11:46 0:05 gnome-terminal
silpol 21754 0.0 0.0 2052 688 ? S 11:46 0:00 \_ gnome-pty-helper
silpol 21755 0.0 0.2 7124 3760 pts/0 Ss 11:46 0:00 \_ bash
root 22159 0.0 0.0 4884 1084 pts/0 R+ 12:05 0:00 \_ ps auxf
silpol 22160 0.0 0.0 4008 752 pts/0 S+ 12:05 0:00 \_ grep -C5 ssh
silpol 21882 0.0 0.0 1896 508 ? S 11:47 0:00 /bin/sh /usr/lib/firefox-3.6.13/firefox
silpol 21886 0.0 0.0 1896 504 ? S 11:47 0:00 \_ /bin/sh /usr/lib/firefox-3.6.13/run-mozilla.sh /usr/lib/firefox-3.6.13/firefox-bin
silpol 21890 23.7 17.8 583892 274740 ? Rl 11:47 4:23 \_ /usr/lib/firefox-3.6.13/firefox-bin
silpol 21932 17.2 3.6 145332 56760 ? Sl 11:47 3:08 \_ /usr/lib/firefox-3.6.13/plugin-container /usr/lib/adobe-flashplugin/libflashplayer.so 21890 plugin true
silpol 22012 0.0 0.5 54036 8336 ? Sl 11:48 0:00 /opt/google/talkplugin/GoogleTalkPlugin
root 22048 0.0 0.0 3348 200 ? Ss 11:50 0:00 ssh-agent -s
root 22052 0.0 0.0 3348 204 ? Ss 11:50 0:00 ssh-agent -s
root 22093 0.0 0.0 3348 200 ? Ss 11:57 0:00 ssh-agent -s
root 22097 0.0 0.0 3348 204 ? Ss 11:58 0:00 ssh-agent -s

---

Revision history for this message
Andriy Tymchenko (silpol) said :
#7

If I understand correct there are no single crontab file in /var/spool/cron/

silpol@doggy:~$ sudo ls /var/spool/cron/
atjobs atspool crontabs
silpol@doggy:~$ sudo ls /var/spool/cron/atjobs/
silpol@doggy:~$ sudo ls /var/spool/cron/atspool/
silpol@doggy:~$ sudo ls /var/spool/cron/crontabs/
silpol@doggy:~$

Revision history for this message
Andriy Tymchenko (silpol) said :
#8

this is /etc/crontab - seems like nothing special

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

Revision history for this message
actionparsnip (andrew-woodhead666) said :
#9

http://www.cl.cam.ac.uk/cgi-bin/manpage?ssh-agent

Seems if you can specify the -d option (somehow) then it won't fork.

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) said :
#10

Hi Andriy Tymchenko,

... and what about your login scripts (.bashrc and .profile (maybe .bash_profile if your home has been in another distro ;-) ) is there a call to ssh-agent? it shouldn't

HTH

Revision history for this message
Andriy Tymchenko (silpol) said :
#11

I looked into various cron files around - nothing special, here is list of them, and none of them look anything suspicious on _first_ very shallow look

silpol@doggy:/etc$ ls -R cron*
crontab

cron.d:
anacron

cron.daily:
0anacron apport apt aptitude bsdmainutils dpkg google-talkplugin logrotate man-db mlocate popularity-contest samba standard sysklogd

cron.hourly:

cron.monthly:
0anacron

cron.weekly:
0anacron apt-xapian-index man-db sysklogd

Revision history for this message
Andriy Tymchenko (silpol) said :
#12

.bashrc has no direct mention of ssh keyword

.profile has this comment and next command commented out
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

no .bash_profile in home

Revision history for this message
Andriy Tymchenko (silpol) said :
#13

meanwhile

silpol@doggy:~$ ps aux | grep ssh-agent | wc -l
113

Revision history for this message
Andriy Tymchenko (silpol) said :
#14

about -d option:

1) if I knew which part causes this ssh-agent launched I'd more certain what I have on my hands - but I do not know

2) I do not run any single new application only issue commands in single gterminal - yet number of stale ssh-agents grows

3) adding -d option might shut up growing number of stale ssh-agents but it won't address _cause_ and I'm not after making myself comfortable but to dig down to origin of problem (you know, "sublata causa tollitur morbus")

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) said :
#15

Hi Andriy Tymchenko,

there must be a parent pid that should indicate which is the process that launches ssh-agent. But that parent pid seems to have a very short life as it doesnt appear in the ps auxf output.

Your hope to catch it passes by monitoring ps in short (some tools may help you: pstree, top, atop).

As, if I recall correctly, the processes didn't grow while you were sleeping, chances to be related to your user activity are high (and obvious). That's why I pointed you to your loggin scripts.

What if you close your user's session, create a *brand* new user and see if it still happening.

Just guesses and thoughts as I'm as lost as you are ;-)

HTH

Revision history for this message
Andriy Tymchenko (silpol) said :
#16

I have made call to friend who gave me few basic advises (just because I'm tired and can miss something obvious)

I had installed chkrootkit and run it in _NOT_ single-user mode

silpol@doggy:~$ sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/xulrunner-1.9.2.13/.autoreg /usr/lib/firefox-3.6.13/.autoreg /usr/lib/pymodules/python2.6/.path /usr/lib/thunderbird-3.1.7/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0:avahi: PACKET SNIFFER(/sbin/dhclient3[1898], /usr/sbin/avahi-autoipd[1809])
eth1: PACKET SNIFFER(/sbin/dhclient3[11756])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

Revision history for this message
Andriy Tymchenko (silpol) said :
#17

silpol@doggy:~$ sudo rkhunter --check
[ Rootkit Hunter version 1.3.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables [ None found ]
    Checking for preloaded libraries [ None found ]
    Checking LD_LIBRARY_PATH variable [ Not found ]

  Performing file properties checks
    Checking for prerequisites [ OK ]
    /bin/bash [ OK ]
    /bin/cat [ OK ]
    /bin/chmod [ OK ]
    /bin/chown [ OK ]
    /bin/cp [ OK ]
    /bin/date [ OK ]
    /bin/df [ OK ]
    /bin/dmesg [ OK ]
    /bin/echo [ OK ]
    /bin/ed [ OK ]
    /bin/egrep [ OK ]
    /bin/fgrep [ OK ]
    /bin/fuser [ OK ]
    /bin/grep [ OK ]
    /bin/ip [ OK ]
    /bin/kill [ OK ]
    /bin/less [ OK ]
    /bin/login [ OK ]
    /bin/ls [ OK ]
    /bin/lsmod [ OK ]
    /bin/mktemp [ OK ]
    /bin/more [ OK ]
    /bin/mount [ OK ]
    /bin/mv [ OK ]
    /bin/netstat [ OK ]
    /bin/ps [ OK ]
    /bin/pwd [ OK ]
    /bin/readlink [ OK ]
    /bin/sed [ OK ]
    /bin/sh [ OK ]
    /bin/su [ OK ]
    /bin/touch [ OK ]
    /bin/uname [ OK ]
    /bin/which [ OK ]
    /bin/dash [ OK ]
    /usr/bin/awk [ OK ]
    /usr/bin/basename [ OK ]
    /usr/bin/chattr [ OK ]
    /usr/bin/curl [ OK ]
    /usr/bin/cut [ OK ]
    /usr/bin/diff [ OK ]
    /usr/bin/dirname [ OK ]
    /usr/bin/dpkg [ OK ]
    /usr/bin/dpkg-query [ OK ]
    /usr/bin/du [ OK ]
    /usr/bin/env [ OK ]
    /usr/bin/file [ OK ]
    /usr/bin/find [ OK ]
    /usr/bin/GET [ OK ]
    /usr/bin/groups [ OK ]
    /usr/bin/head [ OK ]
    /usr/bin/id [ OK ]
    /usr/bin/killall [ OK ]
    /usr/bin/last [ OK ]
    /usr/bin/lastlog [ OK ]
    /usr/bin/ldd [ OK ]
    /usr/bin/less [ OK ]
    /usr/bin/locate [ OK ]
    /usr/bin/logger [ OK ]
    /usr/bin/lsattr [ OK ]
    /usr/bin/lsof [ OK ]
    /usr/bin/mail [ OK ]
    /usr/bin/md5sum [ OK ]
    /usr/bin/mlocate [ OK ]
    /usr/bin/newgrp [ OK ]
    /usr/bin/passwd [ OK ]
    /usr/bin/perl [ OK ]
    /usr/bin/pgrep [ OK ]
    /usr/bin/pstree [ OK ]
    /usr/bin/rkhunter [ OK ]
    /usr/bin/runcon [ OK ]
    /usr/bin/sha1sum [ OK ]
    /usr/bin/sha224sum [ OK ]
    /usr/bin/sha256sum [ OK ]
    /usr/bin/sha384sum [ OK ]
    /usr/bin/sha512sum [ OK ]
    /usr/bin/size [ OK ]
    /usr/bin/sort [ OK ]
    /usr/bin/stat [ OK ]
    /usr/bin/strace [ OK ]
    /usr/bin/strings [ OK ]
    /usr/bin/sudo [ OK ]
    /usr/bin/tail [ OK ]
    /usr/bin/test [ OK ]
    /usr/bin/top [ OK ]
    /usr/bin/touch [ OK ]
    /usr/bin/tr [ OK ]
    /usr/bin/uniq [ OK ]
    /usr/bin/users [ OK ]
    /usr/bin/vmstat [ OK ]
    /usr/bin/w [ OK ]
    /usr/bin/watch [ OK ]
    /usr/bin/wc [ OK ]
    /usr/bin/wget [ OK ]
    /usr/bin/whatis [ OK ]
    /usr/bin/whereis [ OK ]
    /usr/bin/which [ OK ]
    /usr/bin/who [ OK ]
    /usr/bin/whoami [ OK ]
    /usr/bin/gawk [ OK ]
    /usr/bin/lwp-request [ OK ]
    /usr/bin/bsd-mailx [ OK ]
    /usr/bin/w.procps [ OK ]
    /sbin/depmod [ OK ]
    /sbin/ifconfig [ OK ]
    /sbin/ifdown [ OK ]
    /sbin/ifup [ OK ]
    /sbin/init [ OK ]
    /sbin/insmod [ OK ]
    /sbin/ip [ OK ]
    /sbin/lsmod [ OK ]
    /sbin/modinfo [ OK ]
    /sbin/modprobe [ OK ]
    /sbin/rmmod [ OK ]
    /sbin/runlevel [ OK ]
    /sbin/sulogin [ OK ]
    /sbin/sysctl [ OK ]
    /usr/sbin/adduser [ OK ]
    /usr/sbin/chroot [ OK ]
    /usr/sbin/cron [ OK ]
    /usr/sbin/groupadd [ OK ]
    /usr/sbin/groupdel [ OK ]
    /usr/sbin/groupmod [ OK ]
    /usr/sbin/grpck [ OK ]
    /usr/sbin/nologin [ OK ]
    /usr/sbin/pwck [ OK ]
    /usr/sbin/rsyslogd [ OK ]
    /usr/sbin/tcpd [ OK ]
    /usr/sbin/useradd [ OK ]
    /usr/sbin/userdel [ OK ]
    /usr/sbin/usermod [ OK ]
    /usr/sbin/vipw [ OK ]
    /usr/sbin/unhide-linux26 [ OK ]

[Press <ENTER> to continue]

Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A [ Not found ]
    ADM Worm [ Not found ]
    AjaKit Rootkit [ Not found ]
    Adore Rootkit [ Not found ]
    aPa Kit [ Not found ]
    Apache Worm [ Not found ]
    Ambient (ark) Rootkit [ Not found ]
    Balaur Rootkit [ Not found ]
    BeastKit Rootkit [ Not found ]
    beX2 Rootkit [ Not found ]
    BOBKit Rootkit [ Not found ]
    cb Rootkit [ Not found ]
    CiNIK Worm (Slapper.B variant) [ Not found ]
    Danny-Boy's Abuse Kit [ Not found ]
    Devil RootKit [ Not found ]
    Dica-Kit Rootkit [ Not found ]
    Dreams Rootkit [ Not found ]
    Duarawkz Rootkit [ Not found ]
    Enye LKM [ Not found ]
    Flea Linux Rootkit [ Not found ]
    FreeBSD Rootkit [ Not found ]
    Fu Rootkit [ Not found ]
    Fuck`it Rootkit [ Not found ]
    GasKit Rootkit [ Not found ]
    Heroin LKM [ Not found ]
    HjC Kit [ Not found ]
    ignoKit Rootkit [ Not found ]
    iLLogiC Rootkit [ Not found ]
    IntoXonia-NG Rootkit [ Not found ]
    Irix Rootkit [ Not found ]
    Kitko Rootkit [ Not found ]
    Knark Rootkit [ Not found ]
    ld-linuxv.so Rootkit [ Not found ]
    Li0n Worm [ Not found ]
    Lockit / LJK2 Rootkit [ Not found ]
    Mood-NT Rootkit [ Not found ]
    MRK Rootkit [ Not found ]
    Ni0 Rootkit [ Not found ]
    Ohhara Rootkit [ Not found ]
    Optic Kit (Tux) Worm [ Not found ]
    Oz Rootkit [ Not found ]
    Phalanx Rootkit [ Not found ]
    Phalanx2 Rootkit [ Not found ]
    Phalanx2 Rootkit (extended tests) [ Not found ]
    Portacelo Rootkit [ Not found ]
    R3dstorm Toolkit [ Not found ]
    RH-Sharpe's Rootkit [ Not found ]
    RSHA's Rootkit [ Not found ]
    Scalper Worm [ Not found ]
    Sebek LKM [ Not found ]
    Shutdown Rootkit [ Not found ]
    SHV4 Rootkit [ Not found ]
    SHV5 Rootkit [ Not found ]
    Sin Rootkit [ Not found ]
    Slapper Worm [ Not found ]
    Sneakin Rootkit [ Not found ]
    'Spanish' Rootkit [ Not found ]
    Suckit Rootkit [ Not found ]
    SunOS Rootkit [ Not found ]
    SunOS / NSDAP Rootkit [ Not found ]
    Superkit Rootkit [ Not found ]
    TBD (Telnet BackDoor) [ Not found ]
    TeLeKiT Rootkit [ Not found ]
    T0rn Rootkit [ Not found ]
    trNkit Rootkit [ Not found ]
    Trojanit Kit [ Not found ]
    Tuxtendo Rootkit [ Not found ]
    URK Rootkit [ Not found ]
    Vampire Rootkit [ Not found ]
    VcKit Rootkit [ Not found ]
    Volc Rootkit [ Not found ]
    Xzibit Rootkit [ Not found ]
    X-Org SunOS Rootkit [ Not found ]
    zaRwT.KiT Rootkit [ Not found ]
    ZK Rootkit [ Not found ]

  Performing additional rootkit checks
    Suckit Rookit additional checks [ OK ]
    Checking for possible rootkit files and directories [ None found ]
    Checking for possible rootkit strings [ None found ]

  Performing malware checks
    Checking running processes for suspicious files [ None found ]
    Checking for login backdoors [ None found ]
    Checking for suspicious directories [ None found ]
    Checking for sniffer log files [ None found ]

  Performing trojan specific checks
    Checking for enabled inetd services [ OK ]

  Performing Linux specific checks
    Checking loaded kernel modules [ OK ]
    Checking kernel module names [ OK ]

[Press <ENTER> to continue]

Checking the network...

  Performing check for backdoor ports
    Checking for TCP port 1524 [ Not found ]
    Checking for TCP port 1984 [ Not found ]
    Checking for UDP port 2001 [ Not found ]
    Checking for TCP port 2006 [ Not found ]
    Checking for TCP port 2128 [ Not found ]
    Checking for TCP port 6666 [ Not found ]
    Checking for TCP port 6667 [ Not found ]
    Checking for TCP port 6668 [ Not found ]
    Checking for TCP port 6669 [ Not found ]
    Checking for TCP port 7000 [ Not found ]
    Checking for TCP port 13000 [ Not found ]
    Checking for TCP port 14856 [ Not found ]
    Checking for TCP port 25000 [ Not found ]
    Checking for TCP port 29812 [ Not found ]
    Checking for TCP port 31337 [ Not found ]
    Checking for TCP port 33369 [ Not found ]
    Checking for TCP port 47107 [ Not found ]
    Checking for TCP port 47018 [ Not found ]
    Checking for TCP port 60922 [ Not found ]
    Checking for TCP port 62883 [ Not found ]
    Checking for TCP port 65535 [ Not found ]

  Performing checks on the network interfaces
    Checking for promiscuous interfaces [ None found ]

[Press <ENTER> to continue]

Checking the local host...

  Performing system boot checks
    Checking for local host name [ Found ]
    Checking for system startup files [ Found ]
    Checking system startup files for malware [ None found ]

  Performing group and account checks
    Checking for passwd file [ Found ]
    Checking for root equivalent (UID 0) accounts [ None found ]
    Checking for passwordless accounts [ None found ]
    Checking for passwd file changes [ None found ]
    Checking for group file changes [ None found ]
    Checking root account shell history files [ OK ]

  Performing system configuration file checks
    Checking for SSH configuration file [ Found ]
    Checking if SSH root access is allowed [ Warning ]
    Checking if SSH protocol v1 is allowed [ Not allowed ]
    Checking for running syslog daemon [ Found ]
    Checking for syslog configuration file [ Found ]
    Checking if syslog remote logging is allowed [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types [ Warning ]
    Checking for hidden files and directories [ Warning ]

[Press <ENTER> to continue]

System checks summary
=====================

File properties checks...
    Files checked: 133
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 245
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 2 minutes and 27 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Revision history for this message
Andriy Tymchenko (silpol) said :
#18

/var/log/rkhunter.log
---
launchpad fails and does not allow me to put log mentioned above, but it doesn't contain anything fishy

hence I reduce alertness and _tend_ to look more after ssh-agent (misconfiguration in particular)

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) said :
#19

Hi Andriy Tymchenko,

I've always thought that it is a misconfguration.

trying with a new profile might worth to try

HTH

Can you help with this problem?

Provide an answer of your own, or ask Andriy Tymchenko for more information if necessary.

To post a message you must log in.