3

I'm running an Ubuntu/WordPress server on Amazon EC2 which is experiencing problems every 24-48 hours: I get a CPU alarm from EC2, log into the server, and discover sshd is running at 99.9% CPU.

This is a public-facing WordPress server, so normally, I would assume the server has been compromised... except port 22 is enabled only to my IP, root login is disabled, passwords are disabled, I have the only key, and last and lastb show that I'm the only user who has ever logged into sshd.

When I kill the offending process or reboot the server, all is OK for 24-48 hours, then the problem recurs.

Any advice or pointers would be very appreciated because I can't find a problem.

user123079
  • 86
  • 4
  • If the logfiles don't give you any hint, try `strace`ing the sshd process when the problem occurs to see what it's busy with. – etagenklo Nov 28 '13 at 17:15
  • Snother idea is to check logs or issue `lsof` to find out whether any ssh connections are being made or attempted at that time. – reinierpost Nov 28 '13 at 17:53
  • These are both good suggestions, I will have to wait until the problem recurs to try them out. – user123079 Nov 28 '13 at 18:05
  • 1
    Why are you assuming that the SSH process that is using ~100% of the CPU is what you expect, and not some malware named ssh/sshd that an attacker dropped into an unusual folder on your system? Just because a process has the name ssh doesn't meant hat the process is actually an ssh client/server. Inspect what that process is actually doing. What paths does it haven open, what do you see if you attach strace to it. What is in the `/proc/{$pid}` directory for that process. – Zoredache Dec 05 '13 at 22:30

0 Answers0