./ulib - offending IP is 79.116.242.2

Sat, 25 Oct 2008 11:59 GMT

Another break-in, this time by a brute-force SSH password-guess. A rarely used user account called neo was logged into from 79.116.242.2, and was running a process that showed up like:

neo  3995  0.0  0.0   1592   4 ?  S  Oct20   0:00 ./ulib

I wonder what it was actually doing. A cursory inspection of it's open file descriptors showed nothing interesting:

# ls -l /proc/3995/fd/
total 3
lrwx------ 1 neo neo 64 Oct 25 07:43 0 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 1 -> /dev/pts/1 (deleted)
lrwx------ 1 neo neo 64 Oct 25 07:43 2 -> /dev/pts/1 (deleted)

The login occurred 5 days ago:

44571:Oct 20 19:17:08 faizkazi sshd[2972]: Accepted keyboard-interactive/pam for neo from 79.116.242.2 port 3106 ssh2
44572:Oct 20 19:17:08 faizkazi sshd[2986]: (pam_unix) session opened for user neo by (uid=0)

Parsed Participle

./ulib - offending IP is 79.116.242.2