Unauthorised SSH Login in Authorisation Logs.

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Sep 14, 2018.

  1. pawan

    pawan Member HowtoForge Supporter

    Today when I logged in my SSH server, I saw last login from unknown IP.
    Last login: Thu Sep 13 21:32:35 2018 from 223.255.225.232

    Then I check the authorisation log I get this:
    Sep 13 21:32:34 server2 sshd[28056]: Accepted password for root from 223.255.225.232 port 15592 ssh2
    Sep 13 21:32:34 server2 sshd[28056]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Sep 13 21:32:34 server2 systemd-logind[1304]: New session 354853 of user root.

    I want ot mention here that I have only port 2222 is open and that port is not open and I tried myself using that port and I was not able to login.
    is it something to do with ssh2 which is not restricting the port.
    Please help me plug this loophole.
    Thanks.

    Also Now when I check the file /etc/passwd
    I see these entries which doens't look normal.

    enjang:x:1004:1004:magelang6etar,1337,1337,1337,1337:/home/enjang:/bin/bash
    monot0n:x:1005:1005:Monot0nizm,31337,31337,31337,freak:/home/monot0n:/bin/bash
     
    Last edited: Sep 14, 2018
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You mean you changed your ssh port from 22 to 2222? The port mentioned in your log is not the one that SSH listens on, as far as I know, that's just the communication port of that session.

    To me, it looks as if your server has been compromised. The most secure way is probably to backup data and make a full reinstall or to restore a backup from a time point before this happened. As a first step, you might want to:

    1) Check that you have valid backups of the server. If not, create a backup.
    2) Change root user password. If you allow password authentication for ssh root user, consider to change it to ssh key based auth only.
    3) Check if any processes are running under these two new users.
    4) Remove these two unknown users from passwd and shadow file.
    5) Check the system for unknown running applications, check log file for anomalies and check all crontabs.
    6) Check the system with lynis and chkrootkit.

    Depending on what's on the server and on your personal Linux experience, you might consider asking someone to check that for you.
     
  3. pawan

    pawan Member HowtoForge Supporter

    Thanks Till,
    I have deleted the users. also disabled password login for ssh
    and added only my ip for login for ssh for the time-being.
     

Share This Page