Strange ssh login

Posted by Hikaru on Server Fault See other posts from Server Fault or by Hikaru
Published on 2012-06-03T08:03:26Z Indexed on 2012/06/03 10:42 UTC
Read the original article Hit count: 217

Filed under:
|
|

I am running debian server and i have received a strange email warning about ssh login It says, that user mail logged in using ssh from remote address:

Environment info:
USER=mail
SSH_CLIENT=92.46.127.173 40814 22
MAIL=/var/mail/mail
HOME=/var/mail
SSH_TTY=/dev/pts/7
LOGNAME=mail
TERM=xterm
PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
LANG=en_US.UTF-8
SHELL=/bin/sh
KRB5CCNAME=FILE:/tmp/krb5cc_8
PWD=/var/mail
SSH_CONNECTION=92.46.127.173 40814 my-ip-here 22

I looked in /etc/shadow and find out, that password for is not set

mail:*:15316:0:99999:7:::

I found this lines for login in auth.log

n  3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun  3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun  3 02:57:09 gw sshd[2091]: pam_winbind(sshd:auth): user 'mail' granted access
Jun  3 02:57:09 gw sshd[2091]: Accepted password for mail from 92.46.127.173 port 45194 ssh2
Jun  3 02:57:09 gw sshd[2091]: pam_unix(sshd:session): session opened for user mail by (uid=0)
Jun  3 02:57:10 gw CRON[2051]: pam_unix(cron:session): session closed for user root

and lots of auth failures for this user. There is no lines with COMMAND string for this user.

Nothing was found with "rkhunter" and with "ps aux" process inspection, also there is no suspicious connections was found with "netstat" (as I can see)

Can anyone tell me how it is possible and what else should be done? Thanks in advance.

© Server Fault or respective owner

Related posts about linux

Related posts about security