Problem with logs

Wed Sep 12 10:55:23 PDT 2007

I had such problem with FreeBSD 4.7, and finally discovered that this
records were for the last year.
My auth.log was pretty small and contain records for more than one
year. And daily security included records for the last year. May this
could be applied to you?

Best regards, Denis.

On 9/12/07, Aldisa Admin <admin at aldisa.ca> wrote:
> Hello All,
>
> I am having trouble understanding what is going on and how to solve the problem:
>
> For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output:
>
> [hostname].ca login failures:
> Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0
>
> [hostname].ca login failures:
> Sep  8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0
>
>
> I got worried because both these instances are times when I am positive that I am not accessing the system.  I am the only user of the system.  I use ssh to access the system.  Root access is disabled in sshd.  I log in using my username (abid) and SU to root when necessary.
>
> So I went to check the auth.log, and here is the concerned section:
>
> Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2
> Aug 31 17:01:40 server su: abid to root on /dev/ttyp0
> Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2
> Aug 31 18:43:01 server su: abid to root on /dev/ttyp0
> Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2
> Aug 31 22:58:32 server su: abid to root on /dev/ttyp0
> Sep  9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2
> Sep  9 13:41:00 server su: abid to root on /dev/ttyp0
> Sep  9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2
> Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2
> Sep 10 09:04:47 server su: abid to root on /dev/ttyp0
> Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2
> Sep 11 11:37:15 server su: abid to root on /dev/ttyp0
> Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2
> Sep 12 08:41:53 server su: abid to root on /dev/ttyp0
>
>
> As you can see, there is no matching incidence in the auth.log.  How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username.
>
> Some other facts:
>
> The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open.  SSH access is restricted to intranet IP ranges.  The only other opening is a VPN connection between the routers at my office (where the server is) and my home.  The subnet in the office is 192.168.1 and at home is 192.168.2
>
> I changed the password on my account after the Sep 8 occurrence.
>
> It seems to me that somebody is hacking in, but I can't figure out how and from where.
>
> ANY AND ALL HELP WILL BE APPRECIATED.
>
> Abid
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>