Iqigo Ortiz de Urbina wrote:
As its not clear to me if isuser is a user you trust, created or
needed for your services,
'Trusted', created by myself, needs a local account.
I would say your machine might have been compromised. What kind of
traffic is isuser generating?
Difficult to find out if I assume I could not trust my box any longer.
Is it just a reverse ssh shell?
Could very well be.
Would this not show in 'last' or 'w'?
Interesting to me, that no pseudo-terminal is associated with the
activities (ssh), contrary to a usual local logon.
Can you shutdown his account or set his/her/its shell to nologin(8)?
I'll try this next when I see her activities: nologin.
Next install you might consider following the advices of mtree(8) as
the output of previous and current `mtree -cK sha1digest` would be
really usefeul here.
I'll have to study this first.
Thanks!
