-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uwe Dippel wrote:
> I can't as of now (weekend). > > But I can see it reoccurring, kind of: > Aug 21 18:31:25 mybox sshd[31888]: Accepted password for isuser from > XXX.XX.XX.XX port 57519 ssh2 > in authlog, reflected pretty well by > isuser ttyp0 172.16.0.35 Fri Aug 21 18:31 - 18:31 (00:00) > in 'last'; though still busy sending stuff forth and back: > isuser 16994 0.0 0.8 3176 1992 ?? S 6:31PM 0:00.13 sshd: > isuser > > There are a bunch of logons of that user, of 00:00 logon duration during > the last weeks. The only thing running from this user at this moment is > the ssh. > That would mean, one can log on, spawn a process, log off, and the > process keeps running? > Then everything could be 'fine', and the system not compromised, only > exploited to run some ssh-tunnel or so. > Though this behaviour of the system would be unexpected by myself. > > Uwe > > Have you considered adding a PF rule that would drop all incoming login requests from this specific user? - -- - -wittig http://www.robertwittig.com/ http://robertwittig.net/ http://robertwittig.org/ . Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKjo2u4790tgvai6gRAnfmAJ48xDHpuni444P3tphuDGesI1RC9QCgprJ8 Zj25gW7lUsKbWu4nuvS/kNo= =wFi+ -----END PGP SIGNATURE-----
