ConfigServer Community Forum

Hi Guys, (and girls)

I am having this message emailed to me:
Suspicious process running under user sshd
/usr/sbin/sshd (deleted)

Command Line (often faked in exploits):

sshd: root [net]

it also has a TCP connection to some ip address.

I am a bit concerned what this is or how to go about troubleshooting it further.
if i do netstat i can see some ssh connections saying established from unknown ip addresses under the user root and sshd.
if i do "w" at command line though i only see my own ssh connection active.

My questions:
does the active netstat ssh connection represent authenticated sessions or someone trying to bruteforce?
does w represent all active ssh sessions?

Any help with looking into why these suspicious process running under user sshd started would be great.

System:
CentOS 6.4 X86_64
WHM 11.36.0 (build 11)
csf v6.00

I would like to that this seems to happen every hour, i get 5 emails noting the suspicious activity.
It happens a couple of minutes past the hour, so for instance if i look at this morning:
8:02 AM
9:03 AM
10:03 AM
11:04 AM

Check your latest update log and see if SSH has been updated. If it has, stop the service then restart as the old executable may still be running even though a new version has been installed.

thanks for the reply,

I have checked the cpanel update log, and ssh have been udpated.
I have then restarted it through whm, and also have gone into shell and run service sshd restart.
Even though it is saying it is restarting successfully, the message is still appearing, and it doesn't seem to end my ssh session. (not sure if that is normal)
Is this sufficient or do i have to restart it another way?

Cheers