Hi,
i have a serious issue related with PlcmSpIp user, created from sipx. It
looks that my server was compromised.
I see these in my secure logs:
sshd[16435]: Accepted password for PlcmSpIp from 69.225.246.190 port
37241 ssh2
sshd[16435]: pam_unix(sshd:session): session opened for user PlcmSpIp by
(uid=0)
And this in logwatch report:
Users logging in through sshd:
PlcmSpIp:
69.225.246.190 (adsl-69-225-246-190.dsl.skt2ca.pacbell.net): 1
time
How this can be possible?
I see that the users created from sipx have these lines in /etc/passwd:
PlcmSpIp:x:806:806::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
lvp2890:x:807:807::/var/sipxdata/configserver/phone/profile/tftproot:/sbin/nologin
How is possible someone to connect to the system thru ssh using
PlcmSpIp?
_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
