Date: Sat, 15 Nov 2008 00:17:23 -0800 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Lisa Casey <lisa@mail.jellico.com> Cc: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log Message-ID: <20081115081723.GA66941@icarus.home.lan> In-Reply-To: <20081115073714.GA66093@icarus.home.lan> References: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome> <BAY122-DAV1214B45821956EB1D7B782BA110@phx.gbl> <692726B5-52B5-46AC-9C79-41553179AF36@comcast.net> <20081114215444.C8966@mail.jellico.com> <20081115073714.GA66093@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote: > On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: > > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever > > been there. I got rid of the michael account (it wasn't used anyway), and > > downloaded a new copy of chkrootkit, installed it and ran it along with > > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless > > enough prank? Anything else I ought to look at? Fortunately the michael > > account did not have te ability to su to root. > > The individual in Romania *was not* able to log in as michael. The Correction: the individual **WAS** able to log in as michael. I missed the part of the message that said "Accepted" at the front. Sorry for confusing you, I've had a very rough week and my brain is not functioning. What Wojciech said is correct -- change the password on the account. Also keep in mind that the user may not have actually logged in and gotten a shell; the message you see can also happen if the individual simply scp'd something (e.g. no shell spawned). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081115081723.GA66941>