From owner-freebsd-security Tue Oct 8 3:23:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C47C37B401 for ; Tue, 8 Oct 2002 03:23:19 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 8466443EA3 for ; Tue, 8 Oct 2002 03:23:17 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 85409 invoked by uid 85); 8 Oct 2002 10:33:48 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 8 Oct 2002 10:33:46 -0000 Received: (qmail 5722 invoked by uid 1000); 8 Oct 2002 10:23:08 -0000 Date: Tue, 8 Oct 2002 13:23:08 +0300 From: Peter Pentchev To: Mike Hoskins Cc: Riley , FreeBSD Security Subject: Re: chkrootkit help Message-ID: <20021008102308.GB376@straylight.oblivion.bg> Mail-Followup-To: Mike Hoskins , Riley , FreeBSD Security References: <20021007131203.L83742-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1UWUbFP1cBYEclgG" Content-Disposition: inline In-Reply-To: <20021007131203.L83742-100000@fubar.adept.org> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1UWUbFP1cBYEclgG Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 07, 2002 at 01:33:04PM -0700, Mike Hoskins wrote: > On Mon, 7 Oct 2002, Riley wrote: [snip] > > Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): coll= ect: > > I/O error on connection from [203.48.40.139], from=3D > > Oct 7 08:45:13 aji /kernel: file: table is full > >=20 > OK, most of these look IO related... But what's this mean? >=20 > > Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user > > > Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal = 11 > > (core dumped) >=20 > If 'root' really doesn't exist, then who is uid 0? It might well be that the POP3 service does not authenticate against the system passwd file; think 'virtual domains'. There might be no user named 'root' in the virtual domain requested, even though there is such a user on the local machine :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If wishes were fishes, the antecedent of this conditional would be true. --1UWUbFP1cBYEclgG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9orIM7Ri2jRYZRVMRAqOkAKCOIyzo8Vitply7eIDUPcn5O3pYpQCfSNnK zsxhtsjdkudVTcNGuWeFod8= =RCsQ -----END PGP SIGNATURE----- --1UWUbFP1cBYEclgG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message