Non-existent user able to log in??? hacked????
Last night I found the following in my wtmp:
test ftpd19097 18.104.22.168 Sat May 15 10:57 - 10:57 (00:00)
I had this test account once but removed account rightaway. So this
shouldn't show up in my logs anyhow. The weird thing is that syslog
shows something else:
May 15 10:57:41 matilda wu-ftpd: connect from 22.214.171.124
May 15 10:57:44 matilda wu-ftpd: FTP LOGIN REFUSED (ftp not in
/etc/passwd) FROM 126.96.36.199 [188.8.131.52], anonymous
So now I tried myself to login as this test user with a very obvious
password. It was possible.... SSH login succeeded and ftp login as well.
The ssh login seems to get mapped to another local user which does
have an existing account on the server. However it can't find the home
dir so it sets it to /
I have nothing in /etc/passwd, /etc/shadow or anywhere else...
a grep test on passwd* or shadow* reveals nothing. So how is it possible
that this test user is able to login.
I've run the most recent version of chkrootkit (0.43) and run a linux
virusscanner (mcafee) as well. Both find nothing.
Any help appreciated.