Paul de Weerd wrote:
tcpdump(8) will tell you a lot, I suppose ;) I guess the best way to
make sure the account is not compromised is talking to your user and
asking him if he can explain what is going on. Again, my current guess
is TCP forwarding, but it could be a lot of other things too. Ask your
user and see if he knows about this.
I can't as of now (weekend).
But I can see it reoccurring, kind of:
Aug 21 18:31:25 mybox sshd[31888]: Accepted password for isuser from
XXX.XX.XX.XX port 57519 ssh2
in authlog, reflected pretty well by
isuser ttyp0 172.16.0.35 Fri Aug 21 18:31 - 18:31 (00:00)
in 'last'; though still busy sending stuff forth and back:
isuser 16994 0.0 0.8 3176 1992 ?? S 6:31PM 0:00.13 sshd: isuser
There are a bunch of logons of that user, of 00:00 logon duration during
the last weeks. The only thing running from this user at this moment is
the ssh.
That would mean, one can log on, spawn a process, log off, and the
process keeps running?
Then everything could be 'fine', and the system not compromised, only
exploited to run some ssh-tunnel or so.
Though this behaviour of the system would be unexpected by myself.
Uwe