# Getting sshd: [pid] error: connect to in nightly security run log



## dbolton (Nov 18, 2012)

In the last couple weeks I have been seeing similar entries in my nightly security run output.


```
Nov 16 16:55:49 alpha sshd[21633]: error: connect_to 67.195.132.238 port 80: failed.
Nov 16 16:55:49 alpha sshd[21633]: error: connect_to 67.195.132.238 port 80: failed.
Nov 16 17:03:00 alpha sshd[21633]: error: connect_to 63.245.213.91 port 443: failed.
Nov 16 17:03:30 alpha sshd[21633]: error: connect_to 63.245.213.91 port 443: failed.
```

The top two are yahoo and the bottom two are Mozilla's sites. These seem to be very random as previous entries showed attempted connections to an old work place of mine. 

None of these attempts are initiated by me, and I am the only one who has access to this server. I also run sshd on a non-standard port (not 22). The server is updated/patched on a weekly basis, and is running v8.0 release. Nothing special, just apache hosting a single wordpress instance.

Does this mean I have some sort of rootkit or have been hacked? I am not seeing anything in my auth.log, messages or any other log that would indicate such, but of course any hacker would cover their tracks. Has anyone seen this before? What's the resolution?

Any help would be appreciated.
-D


----------



## bbzz (Nov 18, 2012)

That looks like what you'd get when you're unable to proxy with socks5 to somewhere else, i.e. ssh -D switch. 

I'd be mildly worried. Then again it could be something else.

On a second thought, it could be port scanning script.


----------



## gkontos (Nov 18, 2012)

It looks like something is trying to tunnel using sshd(8)() http/https traffic. I doubt that to be a wordpress plugin. 


Examine your logs very carefully and monitor all outgoing IP connections from the server.
Examine your firewall logs, especially your outgoing traffic.

FreeBSD 8.0-RELEASE is has reached EOL and there are many security issues which could have affected your system.


----------



## mamalos (Nov 19, 2012)

And wordpress is not hack-proof either. There is no need for an attacker to gain root privileges in order to use your machine as yet-another-hop-till-my-final-target, www works just fine as well.


----------



## SirDice (Nov 19, 2012)

dbolton said:
			
		

> The server is updated/patched on a weekly basis, and is running v8.0 release.


Apparently nobody checks this as there haven't been any patches since it went End-of-Life in November 2010.

http://www.freebsd.org/security/#unsup


----------



## dbolton (Nov 20, 2012)

Thanks for the replies everyone. I upgraded to v9 to resolve any potential issues.


----------



## mamalos (Nov 21, 2012)

If your box is _correctly_ compromised (and the attacker has gained root access), then it definitely contains a backdoor somewhere. The general rule for hacked machines: If in doubt, build it from scratch.


----------

