[ILUG] sshd

[Keith Hyland]

a web-facing box (on a DMZ) i'm responsible for has recently shown 
increased traffic:  lighting up my adsl router.

the volumes are not large, but rather constant and its seems to be 
evenly split incomming/outgoing.  It appears to be on port 22, which, 
along with port 80, are the only two ports forwarded from the firewall.

I believe its on port 22 as when i close that port on the f/w the 
activity stops.

I have to allow ssh access to *one* remote user to admin the website.

I've checked with the remote user and her activity pattern/timing 
doesn't fit the traffic i'm seeing.

the distro  is suse 9.3, patched monthly.

With this in mind i had a look around the box, and found something i 
think is odd:

all the files in /etc/pam.d are dated back to 2005   except for 
/etc/pam.d/sshd

> #%PAM-1.0
> auth     include        common-auth
> auth     required       pam_nologin.so
> account  include        common-account
> password include        common-password
> session  include        common-session
> # Enable the following line to get resmgr support for
> # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> #session  optional      pam_resmgr.so fake_ttyname

which is dated Nov. 10 2006

I haven't been near that box since October.

Is this likely to be caused by the regular automated online updates or 
has someone been sneaking around in here?

I really don't want to tear it all down and start again