Dear all
I found a further one. mentioned crontab entries in this Thread, were found in crontab of openhab user.
I will further dig into this. I wonder what is next to be found.
Worth to mention is also that, I found my system using unusual high CPU load od 100% more ore less constantly. The same is reported in other threads regarding this subject.
Update:
while still analysing I found that fail2ban was continue to report:
2019-07-31 09:20:49,286 fail2ban.filter [1105]: INFO [sshd] Ignore 127.0.0.1 by ip
2019-07-31 09:20:49,293 fail2ban.filter [1105]: INFO [sshd] Ignore 127.0.0.1 by ip
2019-07-31 09:20:51,447 fail2ban.filter [1105]: INFO [sshd] Ignore 127.0.0.1 by ip
Also I found following suspect auth.log:
Jul 29 19:47:56 sshd[19184]: pam_unix(sshd:auth): check pass; user unknown
Jul 29 19:47:56 sshd[19184]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
Jul 29 19:47:59 sshd[19184]: Failed password for invalid user administrator from 127.0.0.1 port 42286 ssh2
Jul 29 19:49:02 su[19068]: pam_unix(su:session): session closed for user openhab
Jul 29 20:03:14 sshd[20404]: Invalid user test from 127.0.0.1 port 42940
Jul 29 20:03:14 sshd[20404]: input_userauth_request: invalid user test [preauth]
Jul 29 20:03:14 sshd[20404]: pam_unix(sshd:auth): check pass; user unknown
Jul 29 20:03:14 sshd[20404]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
Jul 29 20:03:15 sshd[20404]: Failed password for invalid user test from 127.0.0.1 port 42940 ssh2
mail.log: Exim ?? I never used it.
Jul 28 00:07:05 exim[32411]: 2019-07-28 00:07:05 1hrUqH-0008Ql-AE <= root@orlando.homeland U=root P=local S=679
Jul 28 00:07:05 exim[32411]: 2019-07-28 00:07:05 1hrUqH-0008Ql-AE Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=106 egid=114
Jul 28 00:07:05 exim[32411]: exim: could not open panic log - aborting: see message(s) above
Jul 31 09:06:09 exim[1497]: 2019-07-31 09:06:09 exim 4.89 daemon started: pid=1497, -q30m, listening for SMTP on [127.0.0.1]:25 [::1]:25
Jul 31 09:06:09 exim[1497]: 2019-07-31 09:06:09 Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=106 egid=114
Jul 31 09:06:09 exim[1497]: exim: could not open panic log - aborting: see message(s) above
Jul 31 09:27:15 exim[1385]: 2019-07-31 09:27:15 exim 4.89 daemon started: pid=1385, -q30m, listening for SMTP on [127.0.0.1]:25 [::1]:25
Jul 31 09:27:15 exim[1385]: 2019-07-31 09:27:15 Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=106 egid=114
Jul 31 09:27:15 exim[1385]: exim: could not open panic log - aborting: see message(s) above
What crap is that…
But after I removed all suspect crontab entries there were no more reports about such susbect entries found and in fact the last try of outbound ssh connection was reported at 09:20
Jul 31 09:20:32 kernel: [ 944.973810] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.223.200 DST=5.255.86.129 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30613 DF PROTO=TCP SPT=49442 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
tcpdump is still running, but nothing reported so far.
CPU usage is back to normal (1% to 5%)
After some more research I found the entry on trendmicro that is pretty much what I’ve got here.
Cheers
Stefan