Date: Thu, 5 Sep 2002 14:32:59 +0200 From: Roman Neuhauser <neuhauser@bellavista.cz> To: "J.D. Bronson" <lists@xpec.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: security run question.. Message-ID: <20020905123259.GJ10717@freepuppy.bellavista.cz> In-Reply-To: <5.1.1.6.2.20020905070254.00b17d40@localhost> References: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905070254.00b17d40@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
# lists@xpec.com / 2002-09-05 07:06:20 -0500: > At 06:45 AM 9/5/2002, Matthew Seaman wrote: > >On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote: > >> I noticed this in my daily security run. > >> Is a user trying to do something bad here? > >> > >> > Sep 5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied > >> > Sep 5 05:21:25 molson ls: /etc/pwd.db: Permission denied > >> > Sep 5 05:21:43 molson ls: /etc/pwd.db: Permission denied > >> > Sep 5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied > >> > Sep 5 05:23:14 molson mutt: /etc/pwd.db: Permission denied > >> > Sep 5 05:23:51 molson mutt: /etc/pwd.db: Permission denied > >> > Sep 5 05:24:34 molson vi: /etc/pwd.db: Permission denied > >> > Sep 5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied > >> > Sep 5 05:25:04 molson mutt: /etc/pwd.db: Permission denied > >> > Sep 5 08:01:00 molson uustat: /etc/pwd.db: Permission denied > > > >Yup. That's some user attempting unauthorised access to the password > >database (Bad user! No biscuit!). Doesn't look like a very > >sophisticated attack, and nothing shown in your message indicates that > >the they actually got anywhere. ... > mutt/zsh are used by ONE person and only that person. > I only allow ssh into the machine and it is restricted to 3 IPs via the > firewall (external unit). So unless a binary was hacked into *doubt it*, I > would like to verify this person as the culprit. > > Trouble is that the ssh log shows him logging in at 1am, but then dropping > out. And all of this seemed to happen around 5am? crontab? -- begin 666 nonexistent.vbs FreeBSD 4.6-STABLE 2:30PM up 15 days, 20:23, 10 users, load averages: 0.02, 0.05, 0.00 end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020905123259.GJ10717>