I remove three lists from my reply.

On Fri, 12 Jan 2007, Water NB wrote:

> 2) at last, login successfully via account cyrus.

How do you know? How do you know that was the first successful login?

> 3) install a program psyBNC 2.3.1 under /tmp and run it.

I have seen that before. (But never on NetBSD.)

> But this morning I found the cracker still logined the system after only
> two tries.
> It is impossible to try 2 times to get the correct password.
> So I guess that he used the bug of sshd.
> What bug? I don't know.

Did you kill the cracker? Kill the processes in use? (And firewall?)

If the cracker came back in after you changed the password, then there may 
be a password logger (like other email said) or a hole somewhere else.

> Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> I think /sbin/nologin is enough.
> In fact, when I change it to /sbin/nologin, the cracker stop cracking
> because he has to logout once he login.

I don't know. Sounds good to me.

As for logging in to the cyrus account ... if installed by pkgsrc that 
password field is impossible and couldn't be used to login.

> Jan 12 00:07:04 mail sshd[22316]: Failed password for cyrus from
> AAA.BBB.CCC.DDD port 57590 ssh2
> Jan 12 00:07:04 mail sshd[19307]: Accepted password for cyrus from
> AAA.BBB.CCC.DDD port 57622 ssh2
> (!!!!!)

Strange. I don't understand why it had a valid password.

By the way, maybe you have files under /etc/mtree/ you can use with mtree 
to check if files changed on your system.

  Jeremy C. Reed