Hi Uwe,
On Fri, Aug 21, 2009 at 01:54:06PM +0800, Uwe Dippel wrote:
> Ryan Flannery wrote:
>> On Fri, Aug 21, 2009 at 1:19 AM, Uwe Dippel<udip...@uniten.edu.my> wrote:
>>
>>> Recently, I noticed an ssh user on one of my machines, who never logged on,
>>> is not visible with 'last', seems to have no terminal active, and is back
>>> immediately after a reboot.
>>> Hmm.
>>> root 13415 0.0 0.9 3280 2420 ?? Ss 12:04PM 0:00.08 sshd:
>>> isuser
>>> isuser 702 0.0 0.7 3280 1824 ?? S 12:04PM 0:00.00 sshd: isuser
>>> Whatever I do with finger, w, last, no trace of any activity; not even a
>>> login.
>>>
>>
>> Just to be clear here, do you see anything in /var/log/authlog?
>>
>
> Yes. Like
> Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
And this XXX.XX.XX.XX is the address of a machine you know ? The user
is a well known user to you, some system account perhaps ?
> To be clear, the user exists, and logged on the last time three days ago
> as far as 'last' is concerned.
This does not really match up with your previous statements of "who
never logged on, is not visible with 'last'".
What is this user doing ? Any other processes running under his uid ?
If he's back "immediately" after a reboot, it sounds like an automated
log in (using password auth; that may be "interesting").
What exactly do you want to know here ? How to log in without showing
up in finger/w/last/etc ? Try `while :; do ssh ${HOST} read A; done`,
it does exactly what you describe.
Are you sure that account is not compromised and your machine is not
sending out lots of e-mail ?
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
