keith at iol.ie
Thu Nov 23 13:59:50 GMT 2006
a web-facing box (on a DMZ) i'm responsible for has recently shown
increased traffic: lighting up my adsl router.
the volumes are not large, but rather constant and its seems to be
evenly split incomming/outgoing. It appears to be on port 22, which,
along with port 80, are the only two ports forwarded from the firewall.
I believe its on port 22 as when i close that port on the f/w the
I have to allow ssh access to *one* remote user to admin the website.
I've checked with the remote user and her activity pattern/timing
doesn't fit the traffic i'm seeing.
the distro is suse 9.3, patched monthly.
With this in mind i had a look around the box, and found something i
think is odd:
all the files in /etc/pam.d are dated back to 2005 except for
> auth include common-auth
> auth required pam_nologin.so
> account include common-account
> password include common-password
> session include common-session
> # Enable the following line to get resmgr support for
> # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> #session optional pam_resmgr.so fake_ttyname
which is dated Nov. 10 2006
I haven't been near that box since October.
Is this likely to be caused by the regular automated online updates or
has someone been sneaking around in here?
I really don't want to tear it all down and start again
More information about the ILUG