From owner-freebsd-questions Thu Sep 5 4:46: 8 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE69F37B400 for ; Thu, 5 Sep 2002 04:46:04 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36B3F43E75 for ; Thu, 5 Sep 2002 04:46:03 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk ([IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g85BjoGk033255; Thu, 5 Sep 2002 12:45:50 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g85BjjBh033250; Thu, 5 Sep 2002 12:45:45 +0100 (BST) Date: Thu, 5 Sep 2002 12:45:45 +0100 From: Matthew Seaman To: "J.D. Bronson" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: security run question.. Message-ID: <20020905114545.GB32849@happy-idiot-talk.infracaninophi> References: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote: > I noticed this in my daily security run. > Is a user trying to do something bad here? > > > > Sep 5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied > > Sep 5 05:21:25 molson ls: /etc/pwd.db: Permission denied > > Sep 5 05:21:43 molson ls: /etc/pwd.db: Permission denied > > Sep 5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied > > Sep 5 05:23:14 molson mutt: /etc/pwd.db: Permission denied > > Sep 5 05:23:51 molson mutt: /etc/pwd.db: Permission denied > > Sep 5 05:24:34 molson vi: /etc/pwd.db: Permission denied > > Sep 5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): > /etc/mail/sendmail.cf: line 0: cannot open: Permission denied > > Sep 5 05:25:04 molson mutt: /etc/pwd.db: Permission denied > > Sep 5 08:01:00 molson uustat: /etc/pwd.db: Permission denied Yup. That's some user attempting unauthorised access to the password database (Bad user! No biscuit!). Doesn't look like a very sophisticated attack, and nothing shown in your message indicates that the they actually got anywhere. However, as a conscientious and appropriately paranoid sysadmin you should now be in full alert mode, hunting around the system for evidence of breakins and trying to trace the identity of the person who did that. I'd also immediately lock out the affected account and probably be looking to completely delete it --- even if the nominal user of the account had no connection to the attempted break-in they may still have been negligent about keeping their access credentials (password, ssh keys, etc.) properly secured. Questions C1 and C2 of the CERT/CC FAQ may be of use to you: http://www.cert.org/faq/cert_faq.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message