Hi Darrell,
> I logged on to my site tonight and looked at the last log:
>
> adm1n pts/0 87.68.83.90.cabl Mon Jul 27 13:00 - 13:06 (00:06)
>
> There is no one shell access but me. This user appears out of nowhere and
> was actually logged in for 6 minutes.
>
> I went looking around, wondering were did he come from. I found in the
> /var/messages file:
>
> Jul 27 13:00:23 www sshdfilt[3451]: DB:ACCEPT: user=adm1n, ip=87.68.83.90
> Jul 27 13:00:23 www sshd[3452]: Accepted password for adm1n from
> 87.68.83.90 port 3980 ssh2
> Jul 27 13:06:47 www sshd[3452]: Received disconnect from 87.68.83.90: 11:
> Disconnect requested by Windows SSH Client.
>
> What?
Hmm. So someone from 87.68.83.90 (Smile Communications Ltd., Hasivim 25
Petach-Tikva,Israel) logged in by SSH as "adm1n". An account that he had
created minutes earlier by logging in as "admin" into the GUI:
> Jul 27 12:56:17 www cced(smd)[31615]: client 0:[48:12626]: AUTH to "admin"
> (5) succeeded
> Jul 27 12:59:50 www cced(smd)[32605]: client 5:[48:12627]: CREATE "User"
> "fullName" "=" "adm1n" "capLevels" "=" "&adminUser&controlPower&ipPooling&"
> "sortName" "=" "" "name" "=" "adm1n" "password" "=" xxx
Now the real question is: How did he obtain the "admin" password in first
place which allowed him to make the initial privileged connection to the GUI?
--
With best regards,
Michael Stauber