SSH issue

[lenovohost]

HI

Does any one can tell What exactly does it means i have searched many but not found a correct answer

24513 root 19 0.0 0.0 sshd: username [priv]
24546 username 19 0.0 0.0 sshd: username@notty

22814 username 19 0.0 0.0 sshd: username

24548 root 19 0.0 0.0 jailshell (username) [24557] ell -c /usr/libexec/openssh/sftp-server

24557 username 19 0.0 0.0 /usr/libexec/openssh/sftp-server

Does is hacking ?

Can any one help me ?

I have the some logs using the command

grep -i ssh /var/log/messages

Oct 11 16:57:04 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101101
Oct 11 16:57:04 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101101
Oct 11 16:57:04 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101101)
Oct 11 16:57:04 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101101)
Oct 11 16:57:06 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101102
Oct 11 16:57:06 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101102)
Oct 11 16:57:06 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101102
Oct 11 16:57:06 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101102)
Oct 11 20:25:07 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101103
Oct 11 20:25:07 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101103)
Oct 11 20:25:07 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101103
Oct 11 20:25:07 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101103)
Oct 11 20:38:08 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101104
Oct 11 20:38:08 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101104)
Oct 11 20:38:08 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101104
Oct 11 20:38:08 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101104)
Oct 11 20:39:07 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101105
Oct 11 20:39:07 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101105)
Oct 11 20:39:07 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101105
Oct 11 20:39:07 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101105)
Oct 11 20:47:03 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101106
Oct 11 20:47:03 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101106)
Oct 11 20:47:03 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101106
Oct 11 20:47:03 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101106)
Oct 11 20:49:22 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101107
Oct 11 20:49:22 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101107)
Oct 11 20:49:22 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101107
Oct 11 20:49:22 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101107)
Oct 11 21:04:33 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101108
Oct 11 21:04:33 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101108)
Oct 11 21:04:33 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101108
Oct 11 21:04:33 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101108)
Oct 11 21:06:45 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101109
Oct 11 21:06:45 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101109)
Oct 11 21:06:45 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101109
Oct 11 21:06:45 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101109)
Oct 11 22:00:15 Core2Quad named[3412]: zone domain.com/IN/external: loaded serial 2009101110
Oct 11 22:00:15 Core2Quad named[3412]: zone domain.com/IN/external: sending notifies (serial 2009101110)
Oct 11 22:00:15 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101110
Oct 11 22:00:15 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101110)

 

[handsonhosting]

Do you shell into the system? If so, then it coudl be reporting you as the shell login.

From the looks of your first quoted area, you have JailShell enabled on your server. If that's the case, then a user can be shelling into their account.

24548 root 19 0.0 0.0 jailshell (username) [24557] ell -c /usr/libexec/openssh/sftp-server

This relates to sFTP - a process where a user uses FTP over SSH to upload files to the server.

You really need to contact the hosting company regarding this for final decisions - they will be able to assist you - if not, you need to find a new host.

 

[lenovohost]

Yes we have the shell we have disabled the login of the user for shell

24513 root 19 0.0 0.0 sshd: username [priv]
24546 username 19 0.0 0.0 sshd: username@notty

Even though i have disabled the access the shell access i am geting the message

 

[handsonhosting]

Is the username one of your accounts?

Have you disabled sFTP on your server? The other error definitely had jailshell listed, and that's shell access for users. If you believe you've disabled shell and you're still getting that notice, then it's not disabled.

 

[lenovohost]

Is the username one of your accounts?

Have you disabled sFTP on your server? The other error definitely had jailshell listed, and that's shell access for users. If you believe you've disabled shell and you're still getting that notice, then it's not disabled.

Yes one of the acccount holder and sFTP is not disabled

 

[charlier]

The first I imagine is your process table you are showing us. It just looks like you have a user or two running stuff over ssh.

24513 root 19 0.0 0.0 sshd: username [priv]
24546 username 19 0.0 0.0 sshd: username@notty
22814 username 19 0.0 0.0 sshd: username
24548 root 19 0.0 0.0 jailshell (username) [24557] ell -c /usr/libexec/openssh/sftp-server
24557 username 19 0.0 0.0 /usr/libexec/openssh/sftp-server

This looks like it's just users securely transferring over files, not a bad thing.

Oct 11 22:00:15 Core2Quad named[3412]: zone domain.com/IN/internal: loaded serial 2009101110
Oct 11 22:00:15 Core2Quad named[3412]: zone domain.com/IN/internal: sending notifies (serial 2009101110)

This looks like it's just your dns syncing. Named is your dns server.

You look fine at first glance.

 

[lenovohost]

That fine Thank for clarification

 

[BobyKirov]

don`t worry , it is not hacking attempt, it`s from your dns server.