Paul de Weerd wrote:
Hi Uwe,
Yes. Like
Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
And this XXX.XX.XX.XX is the address of a machine you know ?
Yes
The user
is a well known user to you,
Yes
some system account perhaps ?
No
To be clear, the user exists, and logged on the last time three days ago
as far as 'last' is concerned.
This does not really match up with your previous statements of "who
never logged on, is not visible with 'last'".
Sorry, my shoddy way of saying things. 'Never' meant 'never while there
were processes running under his user-ID in the last hours'
So his last 'last' is 3 days old.
What is this user doing ? Any other processes running under his uid ?
No, only the root- and user-id of ssh.
If he's back "immediately" after a reboot, it sounds like an automated
log in (using password auth; that may be "interesting").
What exactly do you want to know here ? How to log in without showing
up in finger/w/last/etc ? Try `while :; do ssh ${HOST} read A; done`,
it does exactly what you describe.
Are you sure that account is not compromised and your machine is not
sending out lots of e-mail ?
Hmm. How would I know? The daily security report gives out a reasonable
number of mails, top looks okay to me, low as usual.
Cheers,
Thanks,
Uwe
