Date: Fri, 7 Jan 2005 14:56:00 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Sergey Zaharchenko <doublef@tele-kom.ru> Cc: questions@freebsd.org Subject: Re: Someone trying to break in. Message-ID: <20050107145600.5cc307a3.wmoran@potentialtech.com> In-Reply-To: <20050105063822.GA1933@shark.localdomain> References: <20050104100639.6f01c87a.wmoran@potentialtech.com> <20050105063822.GA1933@shark.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
Sergey Zaharchenko <doublef@tele-kom.ru> wrote: > On Tue, Jan 04, 2005 at 10:06:39AM -0500, > Bill Moran probably wrote: > > > > Over the holiday I replaced a server that appeared to have been cracked. > > Basically built a replacement with the same services in a sandbox, then > > swapped it with the old one. > > > > The new server seems to be secure, as we're not seeing the spam coming > > off it that the old one was generating, however, I'm seeing a lot of > > messages in the log files. For example: > > > > Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory > > It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and > that someone is trying to su. /usr/sbin/nologin can't be a home > directory, it must be the shell for some user who isn't supposed to log > in. /nonexistent should be the home directory. It looks possible that > your password file specifies /usr/sbin/nologin as a home directory and a > valid shell for some system user. Maybe you omitted or added an extra > `:'? Just a guess, Thanks for the input, Sergey. That's certainly what's happening. For some reason, certain user records are awry. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050107145600.5cc307a3.wmoran>