From owner-freebsd-questions Thu Sep 5 7:36:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 914F437B400 for ; Thu, 5 Sep 2002 07:36:48 -0700 (PDT) Received: from michelob.wixb.com (michelob.wixb.com [67.36.82.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD57043E4A for ; Thu, 5 Sep 2002 07:36:47 -0700 (PDT) (envelope-from lists@xpec.com) Received: from toshiba.xpec.com (michelob.wixb.com [10.135.144.20]) by michelob.wixb.com (8.12.6/8.12.6) with ESMTP id g85EajsI000246; Thu, 5 Sep 2002 09:36:45 -0500 (CDT) Message-Id: <5.1.1.6.2.20020905093337.00b0c0f0@localhost> Date: Thu, 05 Sep 2002 09:36:42 -0500 To: Matthew Seaman From: "J.D. Bronson" Subject: Re: security run question.. Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <20020905114545.GB32849@happy-idiot-talk.infracaninophi> References: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 06:45 AM 9/5/2002, Matthew Seaman wrote: >On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote: > > I noticed this in my daily security run. > > Is a user trying to do something bad here? > > > > > > > Sep 5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied > > > Sep 5 05:21:25 molson ls: /etc/pwd.db: Permission denied > > > Sep 5 05:21:43 molson ls: /etc/pwd.db: Permission denied > > > Sep 5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied > > > Sep 5 05:23:14 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 05:23:51 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 05:24:34 molson vi: /etc/pwd.db: Permission denied > > > Sep 5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): > > /etc/mail/sendmail.cf: line 0: cannot open: Permission denied > > > Sep 5 05:25:04 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 08:01:00 molson uustat: /etc/pwd.db: Permission denied > >Yup. That's some user attempting unauthorised access to the password >database (Bad user! No biscuit!). Doesn't look like a very >sophisticated attack, and nothing shown in your message indicates that >the they actually got anywhere. > >However, as a conscientious and appropriately paranoid sysadmin you >should now be in full alert mode, hunting around the system for >evidence of breakins and trying to trace the identity of the person >who did that. I'd also immediately lock out the affected account and >probably be looking to completely delete it --- even if the nominal >user of the account had no connection to the attempted break-in they >may still have been negligent about keeping their access credentials >(password, ssh keys, etc.) properly secured. This story seems to have an ending. I talked with the individual and he claims he was not home or at work at the time...thus leading me to belive that his ssh key was compromised. I only allow ssh and only with keys. Not even password or password fallback. I pulled access due to his negligence. He complained. TOO BAD. Now I have to reload this machine. There are more and more things I keep finding..even the time is now GMT instead of my normal time zone. Dam. -- J.D. Bronson Aurora Health Care // Information Systems // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.603.8282 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message