I am running debian server and i have received a strange email warning about ssh login
It says, that user mail logged in using ssh from remote address:
Environment info:
USER=mail
SSH_CLIENT=92.46.127.173 40814 22
MAIL=/var/mail/mail
HOME=/var/mail
SSH_TTY=/dev/pts/7
LOGNAME=mail
TERM=xterm
PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
LANG=en_US.UTF-8
SHELL=/bin/sh
KRB5CCNAME=FILE:/tmp/krb5cc_8
PWD=/var/mail
SSH_CONNECTION=92.46.127.173 40814 my-ip-here 22
I looked in /etc/shadow and find out, that password for is not set
mail:*:15316:0:99999:7:::
I found this lines for login in auth.log
n 3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): getting password (0x00000388)
Jun 3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): pam_get_item returned a password
Jun 3 02:57:09 gw sshd[2091]: pam_winbind(sshd:auth): user 'mail' granted access
Jun 3 02:57:09 gw sshd[2091]: Accepted password for mail from 92.46.127.173 port 45194 ssh2
Jun 3 02:57:09 gw sshd[2091]: pam_unix(sshd:session): session opened for user mail by (uid=0)
Jun 3 02:57:10 gw CRON[2051]: pam_unix(cron:session): session closed for user root
and lots of auth failures for this user. There is no lines with COMMAND string for this user.
Nothing was found with "rkhunter" and with "ps aux" process inspection, also there is no suspicious connections was found with "netstat" (as I can see)
UPD forgot to mention: logins was relatively short – 26 seconds longest one according to "wtmp" log
Can anyone tell me how it is possible and what else should be done?
Thanks in advance.
Best Answer
First disconnect the system from the Internet.
It looks like the attacker was able to obtain root access to the system.
If the passwords used on this system were used elsewhere, change them.
Inform your users.
Reimage the system.
Change all passwords.