SSHD и панамские боты
Всем привет. Мои странности выглядят следующим образом: в какой-то момент на серваке с FreeBSD 9.1-RELEASE перестает отвечать sshd. Вот так:
$ ssh -v srv
OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to srv [192.168.0.5] port 22.
debug1: Connection established.
debug1: identity file /home/komintern/.ssh/id_rsa type -1
debug1: identity file /home/komintern/.ssh/id_rsa-cert type -1
debug1: identity file /home/komintern/.ssh/id_dsa type -1
debug1: identity file /home/komintern/.ssh/id_dsa-cert type -1
debug1: identity file /home/komintern/.ssh/id_ecdsa type -1
debug1: identity file /home/komintern/.ssh/id_ecdsa-cert type -1
lsof -p по парент-процессу sshd:
sshd 940 root 3u IPv4 0xfffffe0198bbc3d0 0t0 TCP *:ssh (LISTEN)
sshd 940 root 4u IPv4 0xfffffe02f182fb70 0t0 TCP srv:64810->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 5u IPv4 0xfffffe04c1eedb70 0t0 TCP srv:50593->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 6u IPv4 0xfffffe06530077a0 0t0 TCP srv:61666->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 7u IPv4 0xfffffe01c9e517a0 0t0 TCP srv:12042->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 8u IPv4 0xfffffe042c7e9b70 0t0 TCP srv:31370->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 9u IPv4 0xfffffe0381fc63d0 0t0 TCP srv:64563->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 10u IPv4 0xfffffe03f92bb3d0 0t0 TCP srv:64565->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 11u IPv4 0xfffffe07effba3d0 0t0 TCP srv:64566->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 12u IPv4 0xfffffe01798353d0 0t0 TCP srv:10607->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 13u IPv4 0xfffffe06a51ea000 0t0 TCP srv:64569->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 14u IPv4 0xfffffe06cca01b70 0t0 TCP srv:10614->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 15u IPv4 0xfffffe057c7267a0 0t0 TCP srv:10616->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sshd 940 root 16u IPv4 0xfffffe015b0277a0 0t0 TCP srv:12066->193.255.191.181.rdns.panamaserver.com:http (CLOSED)
sockstat:
root sshd 940 3 tcp4 *:22 *:*
root sshd 940 4 tcp4 192.168.0.5:64810 181.191.255.193:80
root sshd 940 5 tcp4 192.168.0.5:50593 181.191.255.193:80
root sshd 940 6 tcp4 192.168.0.5:61666 181.191.255.193:80
root sshd 940 7 tcp4 192.168.0.5:12042 181.191.255.193:80
root sshd 940 8 tcp4 192.168.0.5:31370 181.191.255.193:80
root sshd 940 9 tcp4 192.168.0.5:64563 181.191.255.193:80
root sshd 940 10 tcp4 192.168.0.5:64565 181.191.255.193:80
root sshd 940 11 tcp4 192.168.0.5:64566 181.191.255.193:80
root sshd 940 12 tcp4 192.168.0.5:10607 181.191.255.193:80
root sshd 940 13 tcp4 192.168.0.5:64569 181.191.255.193:80
root sshd 940 14 tcp4 192.168.0.5:10614 181.191.255.193:80
root sshd 940 15 tcp4 192.168.0.5:10616 181.191.255.193:80
root sshd 940 16 tcp4 192.168.0.5:12066 181.191.255.193:80
root sshd 940 17 tcp4 192.168.0.5:12072 181.191.255.193:80
root sshd 940 18 tcp4 192.168.0.5:45528 181.191.255.193:80
root sshd 940 19 tcp4 192.168.0.5:46683 181.191.255.193:80
root sshd 940 20 tcp4 192.168.0.5:46687 181.191.255.193:80
netstat:
tcp4 0 0 192.168.0.5.15718 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.52468 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.29572 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.16004 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.63611 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.63610 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.63609 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.51769 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.51764 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.51763 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.51761 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.51752 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.51751 181.191.255.193.80 CLOSED
tcp4 0 0 192.168.0.5.33789 181.191.255.193.80 CLOSED
При этом, на сервере установлен fail2ban, в логах которого данный адрес никак не фигурирует. Вопрос: с чем я столкнулся? Это лечится перезапуском sshd, но каким образом этот странный панамский бот мог повесить мне демона? Благодарен за любые мысли по теме.