malicious ssh user hack in ?

Hi, everybody
     I have a Debian sarge box running home, every now and then I found this wired ssh connection from outside
to my machine, I have no clue what it is.

 bo@bash:~$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp6       0     68 xxx.xxx.20.22:ssh   ::ffff:209.181.6.8:2679 ESTABLISHED

"ps uax" gives me this:

root      2524  0.0  0.2  5036 1848 ?        Ss   00:02   0:00 sshd: unknown [priv]
sshd      2525  0.0  0.2  4844 1712 ?        S    00:02   0:00 sshd: jack [net]
bo        2923  0.0  0.1  2528  852 pts/3    R+   00:10   0:00 ps uax

but "w" doesn't give me a new user or anything unusual ..

Can anybody help me out What this is ?  what is that "jack" thing ?

BR
Eric_BoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

decoleurCommented:
jack is a user account that is currently connected to your server, what happens when you restart the computer? does it reconnect?

the ip address is assigned to GARRETT BALDENSPERGER according to http://www.dnsstuff.com/tools/whois.ch?ip=209.181.6.8

if you reconnect after restarting I would look for rootkits on your box and if you don't get that... unplug erase and re-install.

HTH

-t
giltjrCommented:
If you go the the IP address 209.181.6.8 in your browser it pulls up a web site maintained by him.  Seems to deal with a company called HSNG.  They seem to be a consulting group.

The page says it is maintained by Christopher J. Pace and it says you can contact him at at cpace@hnsg.net.  But it won't work, the hnsg.net domain expired June 10, 2005.
decoleurCommented:
so I might even put in an iptables rule to reject any tcp connections from that subnet and also enable logwatch to start emailing you daily summaries of activities to show you what users are successfully authenticateing, what is being tried, and by whom.

I would also look at your /etc/password file and /etc/groups to see if anything has been added.

do you know a jack?

-t
Eric_BoAuthor Commented:
I dont't have an account in the system named "jack",  chkrootkit gave me a clean report. if I try to connect my machine with jack from outside, of course without password, but leave the password prompt stay, I will have the same result like above. Looks like someone finds my machine IP and trying to connect.

   How do I enable a logwatch giving me summaries about authentications ?


decoleurCommented:
on my RH machine it is already installed, you just have to tweak the logwatch.conf and identify the email address that you want reports sent to.

if it is not installed you should be able to pull it down with yum, yast, apt or what ever package manager that you like.

or you can get it from http://www2.logwatch.org:81/

it is very simple, i have it running in cron.daily and using the deafult config it parses yesterdays log files and send me a summary of occurances of service attempts failures and successes.

HTH

-t

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.