On Fri, Aug 21, 2009 at 06:00:10PM +0800, Uwe Dippel wrote:
> Paul de Weerd wrote:
>> Hi Uwe,
>>
>>
>>>
>>> Yes. Like
>>> Accepted password for isuser from XXX.XX.XX.XX port 61802 ssh2
>>>
>>
>> And this XXX.XX.XX.XX is the address of a machine you know ?
>
> Yes
Is it under your control ? Can you see what is going on on that
machine, who or what is connecting to your box as 'isuser' ?
>> The user
>> is a well known user to you,
>
> Yes
Have you talked to the user to ask him what he's doing ?
>> some system account perhaps ?
>>
>
> No
Some scripted backup maybe ? Or someone using your machine for
outgoing connections (eg TCP forwarding over SSH) ?
>>
>>> To be clear, the user exists, and logged on the last time three days
>>> ago as far as 'last' is concerned.
>>>
>>
>> This does not really match up with your previous statements of "who
>> never logged on, is not visible with 'last'".
>>
>
> Sorry, my shoddy way of saying things. 'Never' meant 'never while there
> were processes running under his user-ID in the last hours'
> So his last 'last' is 3 days old.
Right, well .. this is easily synthesized with a `ssh ${HOST} sleep
86400` or something similar in a while true-loop. You're only logged
in if you get a tty assigned. Do you see a lot of entries for this
user in authlog (repeated sessions) or just a few (long lived
sessions) ?
>> What is this user doing ? Any other processes running under his uid ?
>>
>
> No, only the root- and user-id of ssh.
Sounds more and more like TCP forwarding then.
>> If he's back "immediately" after a reboot, it sounds like an automated
>> log in (using password auth; that may be "interesting").
>>
>> What exactly do you want to know here ? How to log in without showing
>> up in finger/w/last/etc ? Try `while :; do ssh ${HOST} read A; done`,
>> it does exactly what you describe.
>>
>> Are you sure that account is not compromised and your machine is not
>> sending out lots of e-mail ?
>>
>
> Hmm. How would I know? The daily security report gives out a reasonable
> number of mails, top looks okay to me, low as usual.
tcpdump(8) will tell you a lot, I suppose ;) I guess the best way to
make sure the account is not compromised is talking to your user and
asking him if he can explain what is going on. Again, my current guess
is TCP forwarding, but it could be a lot of other things too. Ask your
user and see if he knows about this. If he doesn't, close the account
and do some research to see if anything bad happened (check logs etc).
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
