Re: strange (?) ssh user

Fri, 21 Aug 2009 05:30:48 -0700 

On Fri, Aug 21, 2009 at 07:51:57PM +0800, Uwe Dippel wrote:
> Paul de Weerd wrote:
>>
>>
>> tcpdump(8) will tell you a lot, I suppose ;) I guess the best way to
>> make sure the account is not compromised is talking to your user and
>> asking him if he can explain what is going on. Again, my current guess
>> is TCP forwarding, but it could be a lot of other things too. Ask your
>> user and see if he knows about this.
>
> I can't as of now (weekend).
>
> But I can see it reoccurring, kind of:
> Aug 21 18:31:25 mybox sshd[31888]: Accepted password for isuser from  
> XXX.XX.XX.XX port 57519 ssh2
> in authlog, reflected pretty well by
> isuser  ttyp0    172.16.0.35              Fri Aug 21 18:31 - 18:31  (00:00)
> in 'last'; though still busy sending stuff forth and back:
> isuser 16994  0.0  0.8  3176  1992 ??  S      6:31PM    0:00.13 sshd: isuser
>
> There are a bunch of logons of that user, of 00:00 logon duration during  
> the last weeks. The only thing running from this user at this moment is  
> the ssh.
> That would mean, one can log on, spawn a process, log off, and the  
> process keeps running?
> Then everything could be 'fine', and the system not compromised, only  
> exploited to run some ssh-tunnel or so.
> Though this behaviour of the system would be unexpected by myself.

You could check for the presence of forwarded TCP sessions with fstat,
an exmaple looks like this :

weerd    sshd       29016   11* internet stream tcp 0x40009ab33d0 
127.0.0.1:44410 --> 127.0.0.1:3128

If you open an ssh session to a remote machine with a forwarded port,
then open the forwarded port and once the connection over the
forwarded port has been established ^D the initial session, you'll get
the behaviour you just described. The established TCP session over the
forwarded connection keeps the SSH session alive but the user is shown
as logged out (and no processes show other than the sshd's you
mentioned).

Again .. talk to your user. I bet (s)he can explain this.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to