Someone trying to break in.
Peter Ulrich Kruppa
root at pukruppa.de
Wed Jan 5 01:56:27 PST 2005
On Tue, 4 Jan 2005, Bill Moran wrote:
> Over the holiday I replaced a server that appeared to have been
> cracked. Basically built a replacement with the same services
> in a sandbox, then swapped it with the old one.
> The new server seems to be secure, as we're not seeing the spam
> coming off it that the old one was generating, however, I'm
> seeing a lot of messages in the log files. For example:
> Jan 4 07:15:13 mail su: _secure_path: cannot stat
> /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13
> mail su: _secure_path: cannot stat
> /usr/sbin/nologin/.login_conf: Not a directory
Perhaps you just mixed up some (pseudo-)user's entry for
Just a guess,
> On the one hand, I'm taking this to mean that whatever
> technique was previously being used to control the box is no
> longer working, but I'm wondering if anyone has an idea as to
> what the technique actually was? I want to see if I can lock it
> down even further, based on the specific exploit that is being
> attempted here.
> Anyone seen these errors before, and have any clue as to what
> exploit is going on? The previous machine was very outdated,
> so I'm assuming it was a known exploit in the mail system
> (postfix) or Neomail or something else. The new machine has
> all the latest stable versions of all software, so I'm hoping
> that it's no longer vulnerable, but I can't seem to determine
> what kind of attack was being used.
> -- Bill Moran Potential Technologies
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
| Peter Ulrich Kruppa |
| Wuppertal |
| Germany |
More information about the freebsd-questions