Hello All, We recently suffered a rather puzzling intrusion on an OpenSUSE 11.3 workstation and I wondered whether anyone else had seen anything similar. This computer allowed (it doesn't any more) ssh access from anywhere in the world, and anyone with this set-up expects to see lots of failed login attempts in the log. On 24th Sept one of these attacks was taking place and generated the worrying message sshd[26712]: Accepted password for ftp from 221.6.15.150 port 60041 ssh2 A couple of days later there were a whole bunch of them. It seems that all the system accounts had become open. sshd[12088]: Accepted password for tomcat from 69.143.190.100 port 62729 ssh2 sshd[12130]: Accepted password for ftp from 69.143.190.100 port 63316 ssh2 sshd[12166]: Accepted password for postfix from 69.143.190.100 port 63739 ssh2 sshd[12192]: Accepted password for mysql from 69.143.190.100 port 60222 ssh2 sshd[12292]: Accepted password for nobody from 69.143.190.100 port 62565 ssh2 sshd[12336]: Accepted password for wwwrun from 69.143.190.100 port 63245 ssh2 sshd[12350]: Accepted password for news from 69.143.190.100 port 63501 ssh2 sshd[12382]: Accepted password for games from 69.143.190.100 port 63864 ssh2 sshd[12414]: Accepted password for mail from 69.143.190.100 port 60051 ssh2 sshd[12450]: Accepted password for sshd from 69.143.190.100 port 60814 ssh2 sshd[12460]: Accepted password for bin from 69.143.190.100 port 61108 ssh2 sshd[12490]: Accepted password for daemon from 69.143.190.100 port 61467 ssh2 sshd[12520]: Accepted password for lp from 69.143.190.100 port 61779 ssh2 sshd[12556]: Accepted password for uucp from 69.143.190.100 port 62212 ssh2 sshd[12981]: Accepted password for mysql from 69.143.190.100 port 60149 ssh2 sshd[12999]: Accepted password for ftp from 69.143.190.100 port 60514 ssh2 sshd[13073]: Accepted password for mysql from 69.143.190.100 port 61914 ssh2 sshd[13093]: Accepted password for sshd from 69.143.190.100 port 62346 ssh2 sshd[13220]: Accepted password for wwwrun from 69.143.190.100 port 60966 ssh2 sshd[13228]: Accepted password for news from 69.143.190.100 port 61196 ssh2 sshd[13258]: Accepted password for lp from 69.143.190.100 port 61497 ssh2 sshd[13288]: Accepted password for mail from 69.143.190.100 port 61830 ssh2 sshd[13294]: Accepted password for bin from 69.143.190.100 port 61916 ssh2 sshd[13324]: Accepted password for postfix from 69.143.190.100 port 62245 ssh2 sshd[13332]: Accepted password for at from 69.143.190.100 port 62362 ssh2 None of these accounts have passwords in /etc/shadow and none of them have null strings either. So it seems to me the most likely culprit was a misconfiguration in sshd or PAM or LDAP (in nsswitch.conf we have passwd: compat group: compat shadow: compat passwd_compat: ldap group_compat: ldap shadow_compat: ldap and also we have /etc/shadow:+::0:0:0:::: /etc/shadow:+::0:0:0:::: /etc/passwd:+:::::/nonexistent:/usr/local/etc/restricted-machine ) The machine has been rebooted with a new kernel since then and I cannot ssh to those accounts, so I am hoping the vulnerability is no longer present. But has anyone else ever seen anything similar? Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691 -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org