SSH hacked?

[NoOp]

On 01/12/2009 01:49 PM, Knapp wrote:
> Today I was sitting next to my computer and I could hear the HD going on and
> on, like I was doing a torrent or something. I was not doing anything, so I
> looked to see what was running in the background. Nothing like that was.
> Then I looked at my firewall and saw one connection that was uploading to my
> computer with ssh. At this point firestarted crashed so I could not copy
> down the senders address but it was odd and ended in www.?????????????.NL
> 
> I have about 4 people that can use SSH with my computer and the whole system
> is set for using only gpg type passwords. So my questions are; How can I
> find out what was uploaded? How could I have been hacked? And, how can I
> stop it from happing again? For now the ssh port is closed. This is not a
> problem because it is only used about one time a quarter.
> Thanks!
> 
> 

For where it came from have a look in /var/log/auth.log

It should show something along the lines of:

Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
from 192.168.4.103 port 54921 ssh2
Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
opened for user <username> by (uid=0)
Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
closed for user <username>

$ cat /var/log/auth.log |grep sshd

To stop it happening again, I'd recommend looking into denyhosts &
changing your ssh port number from the default 22. Note: changing the
port number from 22 won't stop someone that is determined to scan all of
your system for ssh, however it will stop a lot of the random script
kiddies that only scan for standard ports.