Strange ssh login
Posted
by
Hikaru
on Server Fault
See other posts from Server Fault
or by Hikaru
Published on 2012-06-03T08:03:26Z
Indexed on
2012/06/03
10:42 UTC
Read the original article
Hit count: 214
I am running debian server and i have received a strange email warning about ssh login It says, that user mail logged in using ssh from remote address:
Environment info:
USER=mail
SSH_CLIENT=92.46.127.173 40814 22
MAIL=/var/mail/mail
HOME=/var/mail
SSH_TTY=/dev/pts/7
LOGNAME=mail
TERM=xterm
PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
LANG=en_US.UTF-8
SHELL=/bin/sh
KRB5CCNAME=FILE:/tmp/krb5cc_8
PWD=/var/mail
SSH_CONNECTION=92.46.127.173 40814 my-ip-here 22
I looked in /etc/shadow and find out, that password for is not set
mail:*:15316:0:99999:7:::
I found this lines for login in auth.log
n 3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 3 02:57:09 gw sshd[2091]: pam_winbind(sshd:auth): user 'mail' granted access
Jun 3 02:57:09 gw sshd[2091]: Accepted password for mail from 92.46.127.173 port 45194 ssh2
Jun 3 02:57:09 gw sshd[2091]: pam_unix(sshd:session): session opened for user mail by (uid=0)
Jun 3 02:57:10 gw CRON[2051]: pam_unix(cron:session): session closed for user root
and lots of auth failures for this user. There is no lines with COMMAND string for this user.
Nothing was found with "rkhunter" and with "ps aux" process inspection, also there is no suspicious connections was found with "netstat" (as I can see)
Can anyone tell me how it is possible and what else should be done? Thanks in advance.
© Server Fault or respective owner