Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Sep 2002 14:32:59 +0200
From:      Roman Neuhauser <neuhauser@bellavista.cz>
To:        "J.D. Bronson" <lists@xpec.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: security run question..
Message-ID:  <20020905123259.GJ10717@freepuppy.bellavista.cz>
In-Reply-To: <5.1.1.6.2.20020905070254.00b17d40@localhost>
References:  <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905070254.00b17d40@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
# lists@xpec.com / 2002-09-05 07:06:20 -0500:
> At 06:45 AM 9/5/2002, Matthew Seaman wrote:
> >On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote:
> >> I noticed this in my daily security run.
> >> Is a user trying to do something bad here?
> >>
> >> > Sep  5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied
> >> > Sep  5 05:21:25 molson ls: /etc/pwd.db: Permission denied
> >> > Sep  5 05:21:43 molson ls: /etc/pwd.db: Permission denied
> >> > Sep  5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied
> >> > Sep  5 05:23:14 molson mutt: /etc/pwd.db: Permission denied
> >> > Sep  5 05:23:51 molson mutt: /etc/pwd.db: Permission denied
> >> > Sep  5 05:24:34 molson vi: /etc/pwd.db: Permission denied
> >> > Sep  5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied
> >> > Sep  5 05:25:04 molson mutt: /etc/pwd.db: Permission denied
> >> > Sep  5 08:01:00 molson uustat: /etc/pwd.db: Permission denied
> >
> >Yup.  That's some user attempting unauthorised access to the password
> >database (Bad user! No biscuit!).  Doesn't look like a very
> >sophisticated attack, and nothing shown in your message indicates that
> >the they actually got anywhere.

    ...

> mutt/zsh are used by ONE person and only that person.
> I only allow ssh into the machine and it is restricted to 3 IPs via the 
> firewall (external unit). So unless a binary was hacked into *doubt it*, I 
> would like to verify this person as the culprit.
> 
> Trouble is that the ssh log shows him logging in at 1am, but then dropping 
> out. And all of this seemed to happen around 5am?

    crontab?

-- 
begin 666 nonexistent.vbs
FreeBSD 4.6-STABLE
2:30PM up 15 days, 20:23, 10 users, load averages: 0.02, 0.05, 0.00
end

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020905123259.GJ10717>