Someone trying to break in.

Sergey Zaharchenko doublef at
Tue Jan 4 22:39:09 PST 2005

On Tue, Jan 04, 2005 at 10:06:39AM -0500,
 Bill Moran probably wrote:
> Over the holiday I replaced a server that appeared to have been cracked.
> Basically built a replacement with the same services in a sandbox, then
> swapped it with the old one.
> The new server seems to be secure, as we're not seeing the spam coming
> off it that the old one was generating, however, I'm seeing a lot of
> messages in the log files.  For example:
> Jan  4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory

It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and
that someone is trying to su. /usr/sbin/nologin can't be a home
directory, it must be the shell for some user who isn't supposed to log
in. /nonexistent should be the home directory. It looks possible that
your password file specifies /usr/sbin/nologin as a home directory and a
valid shell for some system user. Maybe you omitted or added an extra
`:'? Just a guess,

Dealing with failure is easy: work hard to improve.  Success is also
easy to handle: you've solved the wrong problem.  Work hard to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list