Hi Jochen and everyone,
Thanks so much for getting back to me.
SSH is not open to the internet but I have 1 root process open to the
internet, which made me suspect the potential of one of those memory
corruption exploits, and through some sort of payloadable which my EDR
is unable to detect its rev erse shell for now yet, obtained sudo com
mands execution capabilities.
When I disable Default use_pty, I no longer can reproduce which now I
believe a false positive SSH session.
Therefore, what I think and concluded as is happening, is the following.
UTMP keeps over at least the last 48 hours logs of SSH session PIDs, as
exited sessions and whenever I run sudo e.g. sudo who -a, it reuses at
least one of the last exited session processes with known PID which some
happened to belong to SSH session and is causing the randomness of false
positives that doubled my suspicions as sometimes uses PID which belongs
to no longer appearing in UTMP log session thats beyond 48 hours ago and
doesnt activate any session thus no false positive is triggered yet
otherwise sudo activates such SSH session for a second as the session
for sudo command and exits again and triggers false positive.
Once more, adding disable via negating Default use_pty, fixed this issue
yet it breaks OpenSCAP recommendations, therefore as remediation, going
to check the session process if was terminated before dispatching new
SSH session notifications which I noticed in 100% of cases the process
actually was terminated but logs confusion caused by UTMP, as I know who
binary relies on UTMP.
And, thanks everyone for your input and helping me see more of what is
happening in Linux.
Please have a good day.
Zak.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
