(Crossposting to /r/sysadmin because I am really at a loss)
I have googled around and can find nothing on this so I'd figure I'd reach out here.
This morning I got some weird cron messages from a bunch of physical servers running Ubuntu 10.04 or 12.04 (everything occurred exactly the same on the servers):
ERROR: ld.so: object '/lib/libc.so.5' from /etc/ld.so.preload cannot be preloaded: ignored.
I logged on to the systems and saw that uptime was showing a load of 7 or 8 which was odd because ps -aux/top wasnt showing anything running out of the ordinary.
I then proceeded to check the logs and came across this in the auth.log:
Apr 24 04:46:20 scale sshd[7807]: Accepted password for zimbabwe from 93.174.95.67 port 27452 ssh2
We dont have that user and I immediately checked /etc/passwd and our ldap to see if it had been added. There was nothing. I have shutdown the systems, booted into a safe mode have explored the systems to see if anything was added but I dont see anything.
I am going to rebuild them from scratch but I was wonder has anyone seen the ssh log before? It really bothers me that it says "Accepted password" for a user that doesnt exist.
Oh and ssh is running on a nonstandard port.
Maybe there is an ssh exploit in the wild?
EDIT: All these systems had been patched recently for Heartbleed. There is a mix of Tomcat and apache on them.
EDIT2: we are seeing the /usr/local/UMBREON on there but we still cant figure out the attack vector
EDIT3 4/26: Still no idea where this came from. Rebuilding my systems and watching them like a hawk. When/if I know more Ill report more
[link][112 comments]