Someone trying to break in.
Sergey Zaharchenko
doublef at tele-kom.ru
Tue Jan 4 22:39:09 PST 2005
On Tue, Jan 04, 2005 at 10:06:39AM -0500,
Bill Moran probably wrote:
>
> Over the holiday I replaced a server that appeared to have been cracked.
> Basically built a replacement with the same services in a sandbox, then
> swapped it with the old one.
>
> The new server seems to be secure, as we're not seeing the spam coming
> off it that the old one was generating, however, I'm seeing a lot of
> messages in the log files. For example:
>
> Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory
It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and
that someone is trying to su. /usr/sbin/nologin can't be a home
directory, it must be the shell for some user who isn't supposed to log
in. /nonexistent should be the home directory. It looks possible that
your password file specifies /usr/sbin/nologin as a home directory and a
valid shell for some system user. Maybe you omitted or added an extra
`:'? Just a guess,
--
DoubleF
Dealing with failure is easy: work hard to improve. Success is also
easy to handle: you've solved the wrong problem. Work hard to
improve.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050105/37e2ebf8/attachment.bin
More information about the freebsd-questions
mailing list