<p> </p>
<p>On Wed, 27 Feb 2013 13:30:13 +0000, Steven Howes <steve-lists@geekinter.net> wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div>
<div>On 27 Feb 2013, at 13:23, Will Nordmeyer wrote:</div>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">
<p>I've been monitoring the ssh vulnerability and don't see anything there, but I did notice that I have multiple processes when I do a PS looking like this:</p>
<p>root 7499 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 7550 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 8127 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 8523 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 9165 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 10050 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 10562 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 10706 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] cmd read<br />root 11208 24331 0 14:13 ? 00:00:00 sendmail: server [201.238.254.243] startup<br /><br /></p>
<p>I don't know who 201.238.254.243 is - and I'm not sure where that server startup is coming from. Any advice? Quick? help?</p>
</blockquote>
</div>
Well that's not ssh. Could be someone exploiting your sendmail (well, trying random passwords at least). Just firewall them out... It's unlikely to be real mail, 201.238.254.243 doesn't listen on SMTP.
<div></div>
<div>S</div>
</blockquote>
<p>I blocked them input and output via iptables:</p>
<p> iptables -A INPUT --source 201.238.254.243<br /> iptables -A OUTPUT --destination 201.238.254.243</p>
<p>and added them to deny.hosts.rules in apf but when I restart sendmail, there they are.</p>