Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Jan 2005 09:38:22 +0300
From:      Sergey Zaharchenko <doublef@tele-kom.ru>
To:        Bill Moran <wmoran@potentialtech.com>
Cc:        questions@freebsd.org
Subject:   Re: Someone trying to break in.
Message-ID:  <20050105063822.GA1933@shark.localdomain>
In-Reply-To: <20050104100639.6f01c87a.wmoran@potentialtech.com>
References:  <20050104100639.6f01c87a.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 04, 2005 at 10:06:39AM -0500,
 Bill Moran probably wrote:
>=20
> Over the holiday I replaced a server that appeared to have been cracked.
> Basically built a replacement with the same services in a sandbox, then
> swapped it with the old one.
>=20
> The new server seems to be secure, as we're not seeing the spam coming
> off it that the old one was generating, however, I'm seeing a lot of
> messages in the log files.  For example:
>=20
> Jan  4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.log=
in_conf: Not a directory

It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and
that someone is trying to su. /usr/sbin/nologin can't be a home
directory, it must be the shell for some user who isn't supposed to log
in. /nonexistent should be the home directory. It looks possible that
your password file specifies /usr/sbin/nologin as a home directory and a
valid shell for some system user. Maybe you omitted or added an extra
`:'? Just a guess,

--=20
DoubleF
Dealing with failure is easy: work hard to improve.  Success is also
easy to handle: you've solved the wrong problem.  Work hard to
improve.

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFB24tdwo7hT/9lVdwRAtHgAJ4pnVIse+kRsdEhonbWodCCevP7SgCfbAGd
m6xDvokA5vijTo8DfIwoyWE=
=FolH
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050105063822.GA1933>