./ulib - offending IP is 79.116.242.2
Another break-in, this time by a brute-force SSH
password-guess. A rarely used user account called
neo was logged into from 79.116.242.2, and was
running a process that showed up like:
neo 3995 0.0 0.0 1592 4 ? S Oct20 0:00 ./ulibI wonder what it was actually doing. A cursory inspection of it's open file descriptors showed nothing interesting:
# ls -l /proc/3995/fd/ total 3 lrwx------ 1 neo neo 64 Oct 25 07:43 0 -> /dev/pts/1 (deleted) lrwx------ 1 neo neo 64 Oct 25 07:43 1 -> /dev/pts/1 (deleted) lrwx------ 1 neo neo 64 Oct 25 07:43 2 -> /dev/pts/1 (deleted)The login occurred 5 days ago:
44571:Oct 20 19:17:08 faizkazi sshd[2972]: Accepted keyboard-interactive/pam for neo from 79.116.242.2 port 3106 ssh2 44572:Oct 20 19:17:08 faizkazi sshd[2986]: (pam_unix) session opened for user neo by (uid=0)
comments: 1