How can I spy on a user and how is this person able to ssh when shell is disabled?

Hello,

How can I spy on a user to see what they are doing when logged in? I have a new sign up, shell access is disabled yet it looks as if the user is logging in their account via ssh shell. I don’t understand how this is happening and I want to spy on this person to see what they are typing in the shell.

I’m not 100% sure this person logging in via ssh shell to their account but when I do "last" I see:

HTML:

USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:37 - 19:37  (00:00)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:37 - 19:37  (00:00)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:24 - 19:24  (00:00)
root     pts/0        xxxxxxxxxxx Fri Aug 18 18:34   still logged in
root     pts/0        xxxxxxxxxxx Fri Aug 18 18:23 - 18:34  (00:10)
root     pts/4        xxxxxxxxxxx Fri Aug 18 17:28 - 18:23  (00:55)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 14:02 - 14:02  (00:00)
USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 12:38 - 12:38  (00:00)

(Sorry for the HTML Code: thing, I don't know how else to stop all the spaces from being deleted in the above for this post)

Note that I edited the user's login to USER_IN_QUESTION and removed all IP numbers to read 000.00 and changed port numbers userID and groupID etc.

Also, something interesting in the logs is this:

messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[888]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2

I changed this IP number to all 1s (11.111) to mask the IP number and also to show that it's a different IP number. Note that it looks like the user ssh into the machine then added shell, but when I look in the password file the user is noshell. I don't know if that is a cpanel thing adding the user and group WITH shell=/bin/bash when creating the account or if the person did this. I guess I can check the date of the signup to see if it matches etc.

Also, they uploaded an interesting file called nph-proxy.pl and is in public_html/cgiproxy/nph-proxy.pl Another file uploaded and deleted several times was fd_installer.pl and there is also an interesting file in the home directory called .rnd and I don’t have any idea what that file is. No other account has this file.

I took a look at the cgi proxy script and it seems what it is for is so you can browse the Internet anonymously, however, I wonder what kind of abuse this could possibly be used for.

Anyway, I want to log “everything” this user does on the system. I don’t want to delete the user without knowing for sure the person is up to no good. So far nothing bad has happened but I have to look into this.

Below are some of the logs. I changed the log file for security purposes so I can post this publicly. All IP numbers have been changed to 000 or 111 or 222 and the user ID and machine name have been changed and are in CAPS.

Thanks in advance!

Below are some of the logs in the logs directory when I do a "grep -n USER_IN_QUESTION *"

cron.1:13374:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99999]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
cron.1:13375:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99991]: (USER_IN_QUESTION) LIST
(USER_IN_QUESTION)
exim_mainlog:66406:2006-08-18 12:18:34 SOME_EXIM_ID-0007Az-RF =>
USER_IN_QUESTION@SOME_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx4.SOME_HOST.net
[222.222.22.22]
exim_mainlog:66416:2006-08-18 12:20:17 SOME_EXIM_ID-0007UP-5X =>
USER_IN_QUESTION@SOME_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx1.SOME_HOST.net
[222.222.22.22]
messages.1:92181:Aug 18 12:27:15 MACHINE sshd(pam_unix)[999]: session opened for
user USER_IN_QUESTION by (uid=0)

messages.1:92184:Aug 18 12:27:48 MACHINE sshd(pam_unix)[9999]: session closed for
user USER_IN_QUESTION
messages.1:92188:Aug 18 12:31:02 MACHINE pure-ftpd: (?@000.00.0.00) [INFO]
USER_IN_QUESTION is now logged in
messages.1:92189:Aug 18 12:31:02 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (82 bytes, 2.05KB/sec)
messages.1:92190:Aug 18 12:31:03 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] Deleted fd_installer.pl
messages.1:92191:Aug 18 12:31:03 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (88 bytes, 2.19KB/sec)
messages.1:92192:Aug 18 12:31:03 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] Deleted fd_installer.pl

messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
user USER_IN_QUESTION by (uid=0)
messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
user USER_IN_QUESTION
secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
gid=99994
secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
secure.1:60778:Aug 18 12:27:15 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2
secure.1:60780:Aug 18 12:27:45 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
from 11.111.11.111 port 9999 ssh2

messages.1:92220:Aug 18 12:31:43 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/fd_installer.pl uploaded (2815 bytes,
35.20KB/sec)
messages.1:92221:Aug 18 12:31:44 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] Deleted fd_installer.pl
messages.1:92222:Aug 18 12:31:45 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/nph-proxy.pl uploaded (250288
bytes, 760.75KB/sec)
messages.1:92223:Aug 18 12:31:45 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
[NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/README uploaded (39214 bytes,
224.50KB/sec)

 

Ok, I see, the person is trying to ssh in but can't. I tried ssh with one of my accounts that I know does not have shell access and you're right, it shows up as a login.

As for the fd_installer.pl, it's been uploaded and deleted many times so I cannot post it. How do I check the "domlog" for the domain? What IS the domlog??? The domain name was not registered through me and the domain name dns servers are not updated to my server or not propagated yet. Also, it's an .info domain name and has the word "firewall" in the name. The person did pay with a credit card. I am going to refund 100% of the amount of the charge. I'm not sure if I should terminate this account or not, but either way I am going to issue a refund.

Is there a way for me to tell if this person is launching an attack with this script?

Thanks

 

Ok, I found the domlog directory. I did a cat on *thedomainname* and it did not give me any more info than what I have.

 

I was think the same thing and I do have plans on calling them tomorrow.

Thanks for the help

 

Hey, that's a great idea!!! Sorry for being ignorant but, how do I change the ssh port??? As far as jailshell customers, that could be taken care of with a simple PHP script or some other kind of script for those users I would think. (if you have any) I don't have any customers that care about it. I did once but that person seemd to disappear from the face of the earth.

Also, it looks like this person is trying to login ssh in multiple ports, such as 3501 57672 etc. When I try these ports I get host unreachable. The thing is, with this person the logs say password accepted for this person with these ports.

I will be calling this person today.

As far as the cgi scripts, I did a "chmod a-rwx" on the scripts and cgi directories so at least they wont work. I also locked down the use_mod_dir to make sure this script wont be executed with the http://IP_NUMBER/~$HOME/
This persons domain name STILL has not been changed to my name servers. I'm pretty sure I will be deleting this account today.

Back to my original question, how can I spy on a user that has shell access??? I would like to know this for the future just in case.

Oh, and I'm a little worried of what may happen when I delete this account today. I hope I don't get a DOS attack or something.

Thanks for the help!

 

Ok, I have changed the ssh port, however when I restart ssh WHM says ssh failed to restart. However even though ssh failed to restart I can ssh into the new port anyway. Also the old port does not accept ssh connections which is what I want, but I don't know what to make out of the ssh fail on restart.

Also, update about the customer, I tracked down the person's "real" phone number, not the one that was provided and found out that the credit card is stolen yet the person didn't know. So I was the person to infrom them about their credit card being stolen. Now if it were possible to catch the person who used the credit card.

As for the account, well, lets just say I made it so the person can't get in. I just hope they were not able to do anything to cause damage.