On Mon, 28 Feb 2022, Whit Blauvelt wrote: > Hi, > > If this is not the right place to ask this, please redirect me. Hopefully it > is a known vulnerability, due to out of date software. We had a server > running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last > week. The intruder managed to achieve this: > > Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2 > > This despite that /etc/passwd has: > > backup:x:34:34:backup:/var/backups:/usr/sbin/nologin > > And /etc/shadow has: > > backup:*:16359:0:99999:7::: We're not aware of any security problems in OpenSSH 8.6 that could yield access to a locked account like this. On Ubuntu, OpenSSH delegates to PAM for password authentication and verification of the user's shell against /etc/shells. You can check whether this actually enabled using 'sudo sshd -T | grep ^usepam' It sounds like you have already verified that your PAM configuration was not tampered with, so that removes one possibility. Reviewing the Ubuntu PAM configurations and the patches they apply to sshd seem to be prudent next steps. It's possible that the above log message was not from the initial compromise, but rather the attacker running their own sshd to act as a more reliable foothold. Hopefully you're able to preseve and perform forensics on the host. If there is evidence of a bug in sshd, then please send it to the security bug reporting contact: openssh@xxxxxxxxxxx Thanks, Damien Miller _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev