How can I spy on a user and how is this person able to ssh when shell is disabled?

[shred]

Hello,

How can I spy on a user to see what they are doing when logged in? I have a new sign up, shell access is disabled yet it looks as if the user is logging in their account via ssh shell. I don’t understand how this is happening and I want to spy on this person to see what they are typing in the shell.

I’m not 100% sure this person logging in via ssh shell to their account but when I do "last" I see:

USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:37 - 19:37  (00:00)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:37 - 19:37  (00:00)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:24 - 19:24  (00:00)
root     pts/0        xxxxxxxxxxx Fri Aug 18 18:34   still logged in
root     pts/0        xxxxxxxxxxx Fri Aug 18 18:23 - 18:34  (00:10)
root     pts/4        xxxxxxxxxxx Fri Aug 18 17:28 - 18:23  (00:55)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 14:02 - 14:02  (00:00)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 12:38 - 12:38  (00:00)

(Sorry for the HTML Code: thing, I don't know how else to stop all the spaces from being deleted in the above for this post)

Note that I edited the user's login to USER_IN_QUESTION and removed all IP numbers to read 000.00 and changed port numbers userID and groupID etc.

Also, something interesting in the logs is this:

messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[888]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2

I changed this IP number to all 1s (11.111) to mask the IP number and also to show that it's a different IP number. Note that it looks like the user ssh into the machine then added shell, but when I look in the password file the user is noshell. I don't know if that is a cpanel thing adding the user and group WITH shell=/bin/bash when creating the account or if the person did this. I guess I can check the date of the signup to see if it matches etc.

Also, they uploaded an interesting file called nph-proxy.pl and is in public_html/cgiproxy/nph-proxy.pl Another file uploaded and deleted several times was fd_installer.pl and there is also an interesting file in the home directory called .rnd and I don’t have any idea what that file is. No other account has this file.

I took a look at the cgi proxy script and it seems what it is for is so you can browse the Internet anonymously, however, I wonder what kind of abuse this could possibly be used for.

Anyway, I want to log “everything” this user does on the system. I don’t want to delete the user without knowing for sure the person is up to no good. So far nothing bad has happened but I have to look into this.

Below are some of the logs. I changed the log file for security purposes so I can post this publicly. All IP numbers have been changed to 000 or 111 or 222 and the user ID and machine name have been changed and are in CAPS.

Thanks in advance!

Below are some of the logs in the logs directory when I do a "grep -n USER_IN_QUESTION *"

cron.1:13374:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99999]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
cron.1:13375:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99991]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
exim_mainlog:66406:2006-08-18 12:18:34 SOME_EXIM_ID-0007Az-RF =>
[email protected]_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx4.SOME_HOST.net
[222.222.22.22]
exim_mainlog:66416:2006-08-18 12:20:17 SOME_EXIM_ID-0007UP-5X =>
[email protected]_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx1.SOME_HOST.net
[222.222.22.22]
messages.1:92181:Aug 18 12:27:15 MACHINE sshd(pam_unix)[999]: session opened for
user USER_IN_QUESTION by (uid=0)

messages.1:92184:Aug 18 12:27:48 MACHINE sshd(pam_unix)[9999]: session closed for
user USER_IN_QUESTION
messages.1:92188:Aug 18 12:31:02 MACHINE pure-ftpd: ([email protected]) [INFO]
USER_IN_QUESTION is now logged in
messages.1:92189:Aug 18 12:31:02 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (82 bytes, 2.05KB/sec)
messages.1:92190:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:92191:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (88 bytes, 2.19KB/sec)
messages.1:92192:Aug 18 12:31:03 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl

messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
secure.1:60780:Aug 18 12:27:45 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2

messages.1:92220:Aug 18 12:31:43 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/fd_installer.pl uploaded (2815 bytes,
35.20KB/sec)
messages.1:92221:Aug 18 12:31:44 MACHINE pure-ftpd: ([email protected])
[NOTICE] Deleted fd_installer.pl
messages.1:92222:Aug 18 12:31:45 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/nph-proxy.pl uploaded (250288
bytes, 760.75KB/sec)
messages.1:92223:Aug 18 12:31:45 MACHINE pure-ftpd: ([email protected])
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/README uploaded (39214 bytes,
224.50KB/sec)

 

[chirpy]

The last entries don't necessarily indicate a shell login. The cPanel login shell actually allows a login and then termintes it, that's why it shows as successfuly, but is for the same second. That is, they logged in, got the "go away" message and were logged out.

The nph-proxy.cgi is a typical hackers script. It's used to browse anonymously as you mentioned, but is commonly used by hackers to launch attacks against other servers.

I would have to assume the useradd and groupadd lines are from when you created their cPanel account.

I don't know what the fd_installer.pl does, you'd need to post it.

You'd really need to check the domlog for their domain to see what they're up to.

 

[shred]

The last entries don't necessarily indicate a shell login. The cPanel login shell actually allows a login and then termintes it, that's why it shows as successfuly, but is for the same second. That is, they logged in, got the "go away" message and were logged out.

The nph-proxy.cgi is a typical hackers script. It's used to browse anonymously as you mentioned, but is commonly used by hackers to launch attacks against other servers.

I would have to assume the useradd and groupadd lines are from when you created their cPanel account.

I don't know what the fd_installer.pl does, you'd need to post it.

You'd really need to check the domlog for their domain to see what they're up to.

Ok, I see, the person is trying to ssh in but can't. I tried ssh with one of my accounts that I know does not have shell access and you're right, it shows up as a login.

As for the fd_installer.pl, it's been uploaded and deleted many times so I cannot post it. How do I check the "domlog" for the domain? What IS the domlog??? The domain name was not registered through me and the domain name dns servers are not updated to my server or not propagated yet. Also, it's an .info domain name and has the word "firewall" in the name. The person did pay with a credit card. I am going to refund 100% of the amount of the charge. I'm not sure if I should terminate this account or not, but either way I am going to issue a refund.

Is there a way for me to tell if this person is launching an attack with this script?

Thanks

 

[shred]

Ok, I found the domlog directory. I did a cat on *thedomainname* and it did not give me any more info than what I have.

 

[dwykofka]

Honestly I would call them and ask what they are doing on the server..

Tell them that whatever they are doing is sending up red flags and get a detailed explanation from them and then you can decide if you want to host them any longer.

You might find out that its a bad account i.e. stolen cc or bad info

You might also find out that they have no clue about anything beyond frontpage and they might have been hacked. Either way I would go directly to the source..

 

[shred]

I was think the same thing and I do have plans on calling them tomorrow.

Thanks for the help

 

[NightStorm]

I would consider the pat that the file is being uploaded to as somewhat suspicious... not often do you use a //./ path in much of anything good.
All I can find on the fd_installer.pl file is 0 byte files. The standard files that seem to be dropped into the same directories are various sorts of proxies (cgi-proxy, as an example) and cgi-based port scanners.
I'd do the phone method... but I also would not be overly shocked to discover the information that was supplied at signup as being forged, or "borrowed".

 

[jayh38]

SHRED,

Why not just change your ssh port once in a while and you don't have to worry about login attempts. If you have jailshell customers this could be a problem, but I do not offer jailshell at all.

Out of site, out of mind...

 

[shred]

SHRED,

Why not just change your ssh port once in a while and you don't have to worry about login attempts. If you have jailshell customers this could be a problem, but I do not offer jailshell at all.

Out of site, out of mind...

Hey, that's a great idea!!! Sorry for being ignorant but, how do I change the ssh port??? As far as jailshell customers, that could be taken care of with a simple PHP script or some other kind of script for those users I would think. (if you have any) I don't have any customers that care about it. I did once but that person seemd to disappear from the face of the earth.

Also, it looks like this person is trying to login ssh in multiple ports, such as 3501 57672 etc. When I try these ports I get host unreachable. The thing is, with this person the logs say password accepted for this person with these ports.

I will be calling this person today.

As far as the cgi scripts, I did a "chmod a-rwx" on the scripts and cgi directories so at least they wont work. I also locked down the use_mod_dir to make sure this script wont be executed with the http://IP_NUMBER/~$HOME/
This persons domain name STILL has not been changed to my name servers. I'm pretty sure I will be deleting this account today.

Back to my original question, how can I spy on a user that has shell access??? I would like to know this for the future just in case.

Oh, and I'm a little worried of what may happen when I delete this account today. I hope I don't get a DOS attack or something.

Thanks for the help!

 

[shred]

Ok, I have changed the ssh port, however when I restart ssh WHM says ssh failed to restart. However even though ssh failed to restart I can ssh into the new port anyway. Also the old port does not accept ssh connections which is what I want, but I don't know what to make out of the ssh fail on restart.

Also, update about the customer, I tracked down the person's "real" phone number, not the one that was provided and found out that the credit card is stolen yet the person didn't know. So I was the person to infrom them about their credit card being stolen. Now if it were possible to catch the person who used the credit card.

As for the account, well, lets just say I made it so the person can't get in. I just hope they were not able to do anything to cause damage.

 

[chirpy]

Ok, I have changed the ssh port, however when I restart ssh WHM says ssh failed to restart. However even though ssh failed to restart I can ssh into the new port anyway. Also the old port does not accept ssh connections which is what I want, but I don't know what to make out of the ssh fail on restart.

That always happens as the cPanel restart procedure only checks for SSH on port 22.

 

[joako]

fd_installer.pl is for a Flash decompiler. nph-proxy as you have seen is just a web based proxy, the user can browse to whatever websites he visits. Review your access logs and you will probably see the URLs that the user has accessed and also check the source IP, so you can see if maybe its the user at work or something or if alot of people are using it....

And as was mentioned the SSH sessions were for only a few seconds, Try to create a test account on your server and SSH in. It will allow you to login and display something like:

Shell access is not enabled on your account!
If you need shell access please contact support.

Probaby the user was trying to SSH in to use wget to download the scripts, instead of trying to upload them.

 

[joako]

[email protected]:~> ssh -l user server.com
[email protected]'s password:
Last login: Mon Aug 28 00:53:32 2006 from
Shell access is not enabled on your account!
If you need shell access please contact support.
Connection to server.com closed.
[email protected]:~> ssh -l root server.com
[email protected]'s password:
Last login: Sun Aug 27 17:50:19 2006 from
[email protected] [~]# last user
user pts/1 6x.23x.17x.23x Mon Aug 28 00:55 - 00:55 (00:00)
user pts/1 6x.23x.17x.23x Mon Aug 28 00:53 - 00:53 (00:00)

wtmp begins Tue Aug 1 19:49:27 2006
[email protected] [~]#
{/quote]

 

[sepedatua]

fd_installer.pl

Its an online installer for James Marshall CGIProxy. Most probably the connection comes from http://install.xav.com

 

[electric]

One point that is important about this thread...

You should *always* call the client to confirm their account. I can't imagine setting up an account on our servers for someone who has provided an invalid phone number. Anyone who is signing up for a hosting account and is giving you their credit card info online should not have a problem with receiving a phone call to confirm the order. In fact, our customers love it, and it's a great opportunity to show them first-hand that you offer great support/service, etc...

Plus, it reduces fraud and this kinds of "hacker issues" to just about zero.

 

[hostit1]

If you want to spy on a user try Eash (Enterprise Auditing Shell) is a really neat keylogger system.

You can replay a users ssh sessions. I have learned a lot just by watching peoples sessions.

We have this installed on all our servers.

I recommend not enabling ssh unless a user asks for it.

I also recommend using jump boxes or require a user to access SSH from a dedicated IP address. This will help increase your security.

Tim Rice
Host It Now Networks

 

[freedman]

One point that is important about this thread...

You should *always* call the client to confirm their account. I can't imagine setting up an account on our servers for someone who has provided an invalid phone number. Anyone who is signing up for a hosting account and is giving you their credit card info online should not have a problem with receiving a phone call to confirm the order. In fact, our customers love it, and it's a great opportunity to show them first-hand that you offer great support/service, etc...

Plus, it reduces fraud and this kinds of "hacker issues" to just about zero.

While I agree that anyone signing up should provide valid information, in addition, should welcome phone calls, however, the value of this would be highly dependant on the value of the service.

if someones signing up for a $3/month hosting account, it's hardly worth the time to call each of these people.

if they're signing up for a $80/month hosting account, then they probably deserve at least one phone call just to say hi.

 

[hostit1]

Really valid points. If you receive many hosting acounts per day, you may want to look at varilogix (there are other solutions as well). This will allow you to add coding to your webpage and will call the new perspective customer asking them to approve the hosting subscription. You can also block international cellphones . . . etc.

I think that there is a minimal charge ($1 per call), but it is worth it.

varilogix integrates with WHMAutopilot and Lpanel.

We used to get about $10,000 worth of fraudulent charges a month. varilogix has cut this down to about $0 - $50 a month.