Ssh – How to track who SSH’es into the linux machine

As your system has been compromised, no information you get from that system can be trusted. Only logs that are immediately shipped off to an external system can be trusted (such as real time remote syslog). Meaning if you've got some nightly log rotation to an NFS share, you cannot trust it.

However it is possible the user did not bother covering his/her tracks, and you might have the information still available on the system.

Unfortunately on a default Centos/RHEL install, there is very minimal logging. You're basically restricted to poking around in /var/log. Which log you should dig through depends on what services are running on that box. However I would start with the ssh log. After that look at the logs of any services which run as root, or have sudo access.

If you're lucky, that test11 user might have a home directory, with a .bash_history file containing a history of what was done.

Also, as the system has been compromised to the point where an unknown user was able to gain root access, the system must be rebuilt from scratch. You cannot reuse anything from the system. Consider every single file as compromised. I would also recommend against using backups as you don't know how long ago the system was compromised.

Once a user gains root access, there are an unlimited number of backdoors that could be installed. If I were the one who had gained access to your system, simply removing that test11 user and changing the root password wouldn't even slow me down.

In the future, there are a few things you can do.

Remote logging

As mentioned, only real-time remote logging can be trusted not to be tampered with. Make sure you have this.

Auditing

There are 2 utilities you should install and use to monitor and audit the critical components of the system. These are auditd and ossec.

These 2 utilities operate differently, but are for the same goal, to watch for abnormal activity.

Terminal logging

There is another auditing tool called pam_tty_audit that works in conjunction with the earlier mentioned auditd utility. pam_tty_audit is a utility you add to your pam stack which logs all input & output across the TTY. Meaning if the user is accessing the box via interactive ssh, their activity would be logged.
Note however that it is of the utmost importance that this log be protected at all costs. This is mostly because of passwords. When the you type your password at a prompt, even though you don't see the password being typed, the pam_tty_audit module will see it, and log it. It is also possible you will cat out (or otherwise view) files containing sensitive information, which will also be logged. Thus this log must be either be immediately shipped off the local system so that it cannot be obtained by intruders, or it must be encrypted (and the decryption key must not be on the local system). Preferably both should be performed, ship off remotely, and encrypt it.

You can use the last command to get this information

# last|head
phemmer  ssh          192.168.0.24     Wed Aug 20 21:08 - 21:08  (00:00)
phemmer  pts/13       192.168.0.2      Wed Aug 20 14:00 - 18:43  (04:43)
phemmer  ssh          192.168.0.2      Wed Aug 20 14:00 - 18:43  (04:43)
phemmer  ssh          ::1              Wed Aug 13 23:08 - 23:08  (00:00)
phemmer  ssh          ::1              Wed Aug 13 23:08 - 23:08  (00:00)
phemmer  ssh          ::1              Wed Aug 13 23:07 - 23:07  (00:00)
phemmer  pts/15       192.168.0.20     Thu Aug  7 19:00 - 19:00  (00:00)
phemmer  ssh          192.168.0.20     Thu Aug  7 19:00 - 19:00  (00:00)
phemmer  :0                            Wed Jul 30 20:06   still logged in
reboot   system boot  3.13.2-gentoo    Wed Jul 30 20:05   still running

As you can no doubt see, the 3rd column will show the remote IP address in the event of an SSH login.

last uses the /var/log/wtmp file, so this method is similar to G-Man's answer (just a bit simpler since you don't have to specify the path to the file).