On Fri, Aug 21, 2009 at 7:19 AM, Uwe Dippel <udip...@uniten.edu.my> wrote:
> Recently, I noticed an ssh user on one of my machines, who never logged on, > is not visible with 'last', seems to have no terminal active, and is back > immediately after a reboot. > Hmm. > root 13415 0.0 0.9 3280 2420 ?? Ss 12:04PM 0:00.08 sshd: > isuser > isuser 702 0.0 0.7 3280 1824 ?? S 12:04PM 0:00.00 sshd: > isuser > Whatever I do with finger, w, last, no trace of any activity; not even a > login. > I tried to kill the processes, and they are gone, but the next second > another pair is up. > > Could anyone help me to explain what is going on here? > > Uwe > > As its not clear to me if isuser is a user you trust, created or needed for your services, I would say your machine might have been compromised. What kind of traffic is isuser generating? Is it just a reverse ssh shell? Can you shutdown his account or set his/her/its shell to nologin(8)? Next install you might consider following the advices of mtree(8) as the output of previous and current `mtree -cK sha1digest` would be really usefeul here.
