From owner-freebsd-questions@FreeBSD.ORG Sat Jul 16 14:40:14 2005 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1CED16A41C for ; Sat, 16 Jul 2005 14:40:14 +0000 (GMT) (envelope-from stacey@vickiandstacey.com) Received: from pythagoras.zen.co.uk (pythagoras.zen.co.uk [212.23.3.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8A7143D46 for ; Sat, 16 Jul 2005 14:40:13 +0000 (GMT) (envelope-from stacey@vickiandstacey.com) Received: from [82.68.31.177] (helo=Demon.vickiandstacey.com) by pythagoras.zen.co.uk with esmtp (Exim 4.30) id 1Dtnpq-0003vZ-8u for freebsd-questions@FreeBSD.org; Sat, 16 Jul 2005 14:40:10 +0000 Received: from crom.vickiandstacey.com (crom [192.168.1.10]) by Demon.vickiandstacey.com (8.13.1/8.13.1) with ESMTP id j6GEe8rE071285 for ; Sat, 16 Jul 2005 15:40:08 +0100 (BST) (envelope-from stacey@vickiandstacey.com) Received: from crom.vickiandstacey.com (localhost [127.0.0.1]) by crom.vickiandstacey.com (8.13.3/8.13.3) with ESMTP id j6GEdla0098387 for ; Sat, 16 Jul 2005 15:40:01 +0100 (BST) (envelope-from stacey@crom.vickiandstacey.com) Received: (from stacey@localhost) by crom.vickiandstacey.com (8.13.3/8.13.3/Submit) id j6GEdlEH098386 for freebsd-questions@FreeBSD.org; Sat, 16 Jul 2005 15:39:47 +0100 (BST) (envelope-from stacey) Date: Sat, 16 Jul 2005 15:39:46 +0100 From: Stacey Roberts To: freebsd-questions@FreeBSD.org Message-ID: <20050716143946.GA88475@crom.vickiandstacey.com> Mail-Followup-To: freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Originating-Pythagoras-IP: [82.68.31.177] Cc: Subject: Strange messages log entry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 14:40:14 -0000 --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I've noted a strange entry in /var/log/messages on machine here that I= 'm hoping someone might be able to shed some light on, please. Here is what= I found: su: _secure_path: /nonexistent/.login_conf is not owned by uid 65534 There are two (2) entries at exactly 04:15 this morning, and they are the o= nly two entries of this kind in /var/log/messages, and I can't think what i= t is that could be the origin of them.=20 The machine itself is only running rsync as the only really active service,= and is behind a Cisco c-2514 running CBAC with STATIC (for this machine on= ly) and DYNAMIC NAT, and there is another firewall in front of this Cisco f= or the whole local network. The static NAT entry on the router is set up in order to construct an ACL e= ntry that permits only one laptop to backup its files to the FreeBSD server= via rsync. The laptop itself has not been powered up for over a week now a= nd was not on at the time of the log entry. Here's what's running on the server: # sockstat -4l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root rsync 635 5 tcp4 *:873 *:* root portsentry 499 0 udp4 *:1 *:* root portsentry 499 1 udp4 *:7 *:* root portsentry 499 2 udp4 *:9 *:* root portsentry 499 3 udp4 *:69 *:* root portsentry 499 4 udp4 *:161 *:* root portsentry 499 5 udp4 *:162 *:* root portsentry 499 6 udp4 *:513 *:* root portsentry 499 7 udp4 *:635 *:* root portsentry 499 8 udp4 *:640 *:* root portsentry 499 9 udp4 *:641 *:* root portsentry 499 10 udp4 *:700 *:* root portsentry 499 11 udp4 *:37444 *:* root portsentry 499 12 udp4 *:34555 *:* root portsentry 499 13 udp4 *:31335 *:* root portsentry 499 14 udp4 *:32770 *:* root portsentry 499 15 udp4 *:32771 *:* root portsentry 499 16 udp4 *:32772 *:* root portsentry 499 17 udp4 *:32773 *:* root portsentry 499 18 udp4 *:32774 *:* root portsentry 499 19 udp4 *:31337 *:* root portsentry 499 20 udp4 *:54321 *:* root portsentry 497 0 tcp4 *:1 *:* root portsentry 497 1 tcp4 *:11 *:* root portsentry 497 2 tcp4 *:15 *:* root portsentry 497 3 tcp4 *:79 *:* root portsentry 497 4 tcp4 *:111 *:* root portsentry 497 5 tcp4 *:119 *:* root portsentry 497 6 tcp4 *:143 *:* root portsentry 497 7 tcp4 *:540 *:* root portsentry 497 8 tcp4 *:635 *:* root portsentry 497 9 tcp4 *:1080 *:* root portsentry 497 10 tcp4 *:1524 *:* root portsentry 497 11 tcp4 *:2000 *:* root portsentry 497 12 tcp4 *:5742 *:* root portsentry 497 13 tcp4 *:6667 *:* root portsentry 497 14 tcp4 *:12345 *:* root portsentry 497 15 tcp4 *:12346 *:* root portsentry 497 16 tcp4 *:20034 *:* root portsentry 497 17 tcp4 *:27665 *:* root portsentry 497 18 tcp4 *:31337 *:* root portsentry 497 19 tcp4 *:32771 *:* root portsentry 497 20 tcp4 *:32772 *:* root portsentry 497 21 tcp4 *:32773 *:* root portsentry 497 22 tcp4 *:32774 *:* root portsentry 497 23 tcp4 *:40421 *:* root portsentry 497 24 tcp4 *:49724 *:* root portsentry 497 25 tcp4 *:54320 *:* root sendmail 465 4 tcp4 127.0.0.1:25 *:* root sshd 459 4 tcp4 *:22 *:* # SSHD access to the server is only available to one other machine in that Ci= sco protected network that is not accessible from anywhere else on either t= he Cisco-protected network, nor any other networks locally, or externally. If anyone is able to provide any hints as to where that entry might have co= me from, or any information as to what it literally means, I'd appreciate i= t greatly. If there are any other bits of information I can provide, then p= lease let me know. Thanks for the time. Regards, Stacey --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBQtkcLdetyy/wI4UpAQEOIggA2XRyEkd9+h5udI7mvWgtidn8HSw2NH/g uyNmM1auR8A4WIQMzT1DUuC0gpTRyEGXNxphEHj3WVaMxa1zbzHtIzV0vpU+wqEm EqBzxxNYz6OCTTx0a5rz+ehINFKBxuzJ31yO2Or+MYjQU2gNA7WQNRr/MRCAd3aa P2eogwRT7QtjFpxA0w0GOT9FtU7deI6TO3I7/ZxysgyfsHtUsle2IU8vGo1CSxp9 8bCI2Fc3QXUIK2E6sYqqcZfagimYn3hGtTkX5UA/dkMGGNPzMQzJAdU9SscJhDE5 sWkE0zxaTMujeTWo1Yq5wyMENIHdo2BpXMSBQPf2yeK4PXQLYki/PA== =j9L9 -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE--