Parsed Participle

The personal weblog of Faiz Kazi: Mostly oddities in programming, life in Japan, occasionally music.

[ Home | RSS 2.0 | ATOM 1.0 ]

Oct 2008

Sat, 25 Oct 2008

./ulib - offending IP is 79.116.242.2

Another break-in, this time by a brute-force SSH password-guess. A rarely used user account called neo was logged into from 79.116.242.2, and was running a process that showed up like: 
neo  3995  0.0  0.0   1592   4 ?  S  Oct20   0:00 ./ulib
I wonder what it was actually doing. A cursory inspection of it's open file descriptors showed nothing interesting: 
# ls -l /proc/3995/fd/
total 3
lrwx------ 1 neo neo 64 Oct 25 07:43 0 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 1 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 2 -> /dev/pts/1 (deleted)
The login occurred 5 days ago: 
44571:Oct 20 19:17:08 faizkazi sshd[2972]: Accepted keyboard-interactive/pam for neo from 79.116.242.2 port 3106 ssh2
44572:Oct 20 19:17:08 faizkazi sshd[2986]: (pam_unix) session opened for user neo by (uid=0)
posted: 07:59 | path: /security | permanent link to this entry
comments: 1


Sections

< October 2008 >
SuMoTuWeThFrSa
    1 2 3 4
5 6 7 8 91011
12131415161718
19202122232425
262728293031 

[ Home | RSS 2.0 | ATOM 1.0 ]