Non-existent user able to log in??? hacked????
Last night I found the following in my wtmp:
test ftpd19097 22.214.171.124 Sat May 15 10:57 - 10:57 (00:00)
I had this test account once but removed account rightaway. So this
shouldn't show up in my logs anyhow. The weird thing is that syslog
shows something else:
May 15 10:57:41 matilda wu-ftpd: connect from 126.96.36.199
May 15 10:57:44 matilda wu-ftpd: FTP LOGIN REFUSED (ftp not in
/etc/passwd) FROM 188.8.131.52 [184.108.40.206], anonymous
So now I tried myself to login as this test user with a very obvious
password. It was possible.... SSH login succeeded and ftp login as well.
The ssh login seems to get mapped to another local user which does
have an existing account on the server. However it can't find the home
dir so it sets it to /
I have nothing in /etc/passwd, /etc/shadow or anywhere else...
a grep test on passwd* or shadow* reveals nothing. So how is it possible
that this test user is able to login.
I've run the most recent version of chkrootkit (0.43) and run a linux
virusscanner (mcafee) as well. Both find nothing.
Any help appreciated.