Eric_Bo
asked on
malicious ssh user hack in ?
Hi, everybody
I have a Debian sarge box running home, every now and then I found this wired ssh connection from outside
to my machine, I have no clue what it is.
bo@bash:~$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 68 xxx.xxx.20.22:ssh ::ffff:209.181.6.8:2679 ESTABLISHED
"ps uax" gives me this:
root 2524 0.0 0.2 5036 1848 ? Ss 00:02 0:00 sshd: unknown [priv]
sshd 2525 0.0 0.2 4844 1712 ? S 00:02 0:00 sshd: jack [net]
bo 2923 0.0 0.1 2528 852 pts/3 R+ 00:10 0:00 ps uax
but "w" doesn't give me a new user or anything unusual ..
Can anybody help me out What this is ? what is that "jack" thing ?
BR
I have a Debian sarge box running home, every now and then I found this wired ssh connection from outside
to my machine, I have no clue what it is.
bo@bash:~$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 68 xxx.xxx.20.22:ssh ::ffff:209.181.6.8:2679 ESTABLISHED
"ps uax" gives me this:
root 2524 0.0 0.2 5036 1848 ? Ss 00:02 0:00 sshd: unknown [priv]
sshd 2525 0.0 0.2 4844 1712 ? S 00:02 0:00 sshd: jack [net]
bo 2923 0.0 0.1 2528 852 pts/3 R+ 00:10 0:00 ps uax
but "w" doesn't give me a new user or anything unusual ..
Can anybody help me out What this is ? what is that "jack" thing ?
BR
If you go the the IP address 209.181.6.8 in your browser it pulls up a web site maintained by him. Seems to deal with a company called HSNG. They seem to be a consulting group.
The page says it is maintained by Christopher J. Pace and it says you can contact him at at cpace@hnsg.net. But it won't work, the hnsg.net domain expired June 10, 2005.
The page says it is maintained by Christopher J. Pace and it says you can contact him at at cpace@hnsg.net. But it won't work, the hnsg.net domain expired June 10, 2005.
so I might even put in an iptables rule to reject any tcp connections from that subnet and also enable logwatch to start emailing you daily summaries of activities to show you what users are successfully authenticateing, what is being tried, and by whom.
I would also look at your /etc/password file and /etc/groups to see if anything has been added.
do you know a jack?
-t
I would also look at your /etc/password file and /etc/groups to see if anything has been added.
do you know a jack?
-t
ASKER
I dont't have an account in the system named "jack", chkrootkit gave me a clean report. if I try to connect my machine with jack from outside, of course without password, but leave the password prompt stay, I will have the same result like above. Looks like someone finds my machine IP and trying to connect.
How do I enable a logwatch giving me summaries about authentications ?
How do I enable a logwatch giving me summaries about authentications ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the ip address is assigned to GARRETT BALDENSPERGER according to http://www.dnsstuff.com/tools/whois.ch?ip=209.181.6.8
if you reconnect after restarting I would look for rootkits on your box and if you don't get that... unplug erase and re-install.
HTH
-t