On Mon, Feb 28, 2022 at 12:48:31PM -0500, Whit Blauvelt wrote: > Hi, > > If this is not the right place to ask this, please redirect me. Hopefully it > is a known vulnerability, due to out of date software. We had a server > running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last > week. The intruder managed to achieve this: > > Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2 > > This despite that /etc/passwd has: > > backup:x:34:34:backup:/var/backups:/usr/sbin/nologin > > And /etc/shadow has: > > backup:*:16359:0:99999:7::: > > Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow > should have been enough to prevent "Accepted password for backup." The > /usr/sbin/nologin is the standard version for that Ubuntu generation, byte > identical. > > Adding this to sshd_config was effective: > > DenyUsers backup > ... Possibly OT, but have you verified the system's PAM modules/configuration as well? They may have used the backup account post-exploitation if everything else checked out. -c _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
