Hi, i have a serious issue related with PlcmSpIp user, created from sipx. It looks that my server was compromised.
I see these in my secure logs: sshd[16435]: Accepted password for PlcmSpIp from 69.225.246.190 port 37241 ssh2 sshd[16435]: pam_unix(sshd:session): session opened for user PlcmSpIp by (uid=0) And this in logwatch report: Users logging in through sshd: PlcmSpIp: 69.225.246.190 (adsl-69-225-246-190.dsl.skt2ca.pacbell.net): 1 time How this can be possible? I see that the users created from sipx have these lines in /etc/passwd: PlcmSpIp:x:806:806::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin lvp2890:x:807:807::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin How is possible someone to connect to the system thru ssh using PlcmSpIp? _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users