Someone trying to break in.

Peter Ulrich Kruppa root at pukruppa.de
Wed Jan 5 01:56:27 PST 2005 

On Tue, 4 Jan 2005, Bill Moran wrote:

>
> Over the holiday I replaced a server that appeared to have been 
> cracked. Basically built a replacement with the same services 
> in a sandbox, then swapped it with the old one.
>
> The new server seems to be secure, as we're not seeing the spam 
> coming off it that the old one was generating, however, I'm 
> seeing a lot of messages in the log files.  For example:
>
> Jan 4 07:15:13 mail su: _secure_path: cannot stat 
> /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 
> mail su: _secure_path: cannot stat 
> /usr/sbin/nologin/.login_conf: Not a directory
Perhaps you just mixed up some (pseudo-)user's entry for 
/etc/master.passwd ?
Instead of
 	...:/nonexistent:/sbin/nologin
you set
 	...:/sbin/nologin:/nonexistent  ???

Just a guess,

Uli.


>
> On the one hand, I'm taking this to mean that whatever 
> technique was previously being used to control the box is no 
> longer working, but I'm wondering if anyone has an idea as to 
> what the technique actually was? I want to see if I can lock it 
> down even further, based on the specific exploit that is being 
> attempted here.
>
> Anyone seen these errors before, and have any clue as to what 
> exploit is going on?  The previous machine was very outdated, 
> so I'm assuming it was a known exploit in the mail system 
> (postfix) or Neomail or something else.  The new machine has 
> all the latest stable versions of all software, so I'm hoping 
> that it's no longer vulnerable, but I can't seem to determine 
> what kind of attack was being used.
>
> Thoughts?
>
> -- Bill Moran Potential Technologies 
> http://www.potentialtech.com 
> _______________________________________________ 
> freebsd-questions at freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To 
> unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>

 	+---------------------------+
 	|    Peter Ulrich Kruppa    |
         |         Wuppertal         |
         |          Germany          |
         +---------------------------+

More information about the freebsd-questions mailing list