From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 06:39:09 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEF3A16A4CE for ; Wed, 5 Jan 2005 06:39:09 +0000 (GMT) Received: from mx.tele-kom.ru (mx.tele-kom.ru [213.80.148.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 6E72A43D1F for ; Wed, 5 Jan 2005 06:39:08 +0000 (GMT) (envelope-from doublef@tele-kom.ru) Received: (qmail 4510 invoked by uid 555); 5 Jan 2005 06:43:58 -0000 Received: from shark (213.80.148.252) by t-k.ru with TeleMail/2 id 1104907435-4484 for questions@freebsd.org; Wed, Jan 5 09:43:55 2005 +0300 (MSK) Received: by shark (Postfix, from userid 1000) id 783E59DB55; Wed, 5 Jan 2005 09:38:23 +0300 (MSK) Date: Wed, 5 Jan 2005 09:38:22 +0300 From: Sergey Zaharchenko To: Bill Moran Message-ID: <20050105063822.GA1933@shark.localdomain> References: <20050104100639.6f01c87a.wmoran@potentialtech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <20050104100639.6f01c87a.wmoran@potentialtech.com> User-Agent: Mutt/1.4.2.1i X-Listening-To: Silence cc: questions@freebsd.org Subject: Re: Someone trying to break in. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 06:39:09 -0000 --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 04, 2005 at 10:06:39AM -0500, Bill Moran probably wrote: >=20 > Over the holiday I replaced a server that appeared to have been cracked. > Basically built a replacement with the same services in a sandbox, then > swapped it with the old one. >=20 > The new server seems to be secure, as we're not seeing the spam coming > off it that the old one was generating, however, I'm seeing a lot of > messages in the log files. For example: >=20 > Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.log= in_conf: Not a directory It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and that someone is trying to su. /usr/sbin/nologin can't be a home directory, it must be the shell for some user who isn't supposed to log in. /nonexistent should be the home directory. It looks possible that your password file specifies /usr/sbin/nologin as a home directory and a valid shell for some system user. Maybe you omitted or added an extra `:'? Just a guess, --=20 DoubleF Dealing with failure is easy: work hard to improve. Success is also easy to handle: you've solved the wrong problem. Work hard to improve. --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFB24tdwo7hT/9lVdwRAtHgAJ4pnVIse+kRsdEhonbWodCCevP7SgCfbAGd m6xDvokA5vijTo8DfIwoyWE= =FolH -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb--