Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Sep 2002 12:45:45 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        "J.D. Bronson" <lists@xpec.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: security run question..
Message-ID:  <20020905114545.GB32849@happy-idiot-talk.infracaninophi>
In-Reply-To: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com>
References:  <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote:
> I noticed this in my daily security run.
> Is a user trying to do something bad here?
> 
> 
> > Sep  5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied
> > Sep  5 05:21:25 molson ls: /etc/pwd.db: Permission denied
> > Sep  5 05:21:43 molson ls: /etc/pwd.db: Permission denied
> > Sep  5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied
> > Sep  5 05:23:14 molson mutt: /etc/pwd.db: Permission denied
> > Sep  5 05:23:51 molson mutt: /etc/pwd.db: Permission denied
> > Sep  5 05:24:34 molson vi: /etc/pwd.db: Permission denied
> > Sep  5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): 
> /etc/mail/sendmail.cf: line 0: cannot open: Permission denied
> > Sep  5 05:25:04 molson mutt: /etc/pwd.db: Permission denied
> > Sep  5 08:01:00 molson uustat: /etc/pwd.db: Permission denied

Yup.  That's some user attempting unauthorised access to the password
database (Bad user! No biscuit!).  Doesn't look like a very
sophisticated attack, and nothing shown in your message indicates that
the they actually got anywhere.

However, as a conscientious and appropriately paranoid sysadmin you
should now be in full alert mode, hunting around the system for
evidence of breakins and trying to trace the identity of the person
who did that.  I'd also immediately lock out the affected account and
probably be looking to completely delete it --- even if the nominal
user of the account had no connection to the attempted break-in they
may still have been negligent about keeping their access credentials
(password, ssh keys, etc.) properly secured.

Questions C1 and C2 of the CERT/CC FAQ may be of use to you:
http://www.cert.org/faq/cert_faq.html 

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020905114545.GB32849>