Someone trying to break in.
Bill Moran
wmoran at potentialtech.com
Tue Jan 4 07:06:48 PST 2005
Over the holiday I replaced a server that appeared to have been cracked.
Basically built a replacement with the same services in a sandbox, then
swapped it with the old one.
The new server seems to be secure, as we're not seeing the spam coming
off it that the old one was generating, however, I'm seeing a lot of
messages in the log files. For example:
Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory
Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory
On the one hand, I'm taking this to mean that whatever technique was
previously being used to control the box is no longer working, but I'm
wondering if anyone has an idea as to what the technique actually was?
I want to see if I can lock it down even further, based on the
specific exploit that is being attempted here.
Anyone seen these errors before, and have any clue as to what exploit
is going on? The previous machine was very outdated, so I'm assuming
it was a known exploit in the mail system (postfix) or Neomail or
something else. The new machine has all the latest stable versions of
all software, so I'm hoping that it's no longer vulnerable, but I can't
seem to determine what kind of attack was being used.
Thoughts?
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-questions
mailing list