Someone trying to break in.

Peter Ulrich Kruppa root at
Wed Jan 5 01:56:27 PST 2005

On Tue, 4 Jan 2005, Bill Moran wrote:

> Over the holiday I replaced a server that appeared to have been 
> cracked. Basically built a replacement with the same services 
> in a sandbox, then swapped it with the old one.
> The new server seems to be secure, as we're not seeing the spam 
> coming off it that the old one was generating, however, I'm 
> seeing a lot of messages in the log files.  For example:
> Jan 4 07:15:13 mail su: _secure_path: cannot stat 
> /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 
> mail su: _secure_path: cannot stat 
> /usr/sbin/nologin/.login_conf: Not a directory
Perhaps you just mixed up some (pseudo-)user's entry for 
/etc/master.passwd ?
Instead of
you set
 	...:/sbin/nologin:/nonexistent  ???

Just a guess,


> On the one hand, I'm taking this to mean that whatever 
> technique was previously being used to control the box is no 
> longer working, but I'm wondering if anyone has an idea as to 
> what the technique actually was? I want to see if I can lock it 
> down even further, based on the specific exploit that is being 
> attempted here.
> Anyone seen these errors before, and have any clue as to what 
> exploit is going on?  The previous machine was very outdated, 
> so I'm assuming it was a known exploit in the mail system 
> (postfix) or Neomail or something else.  The new machine has 
> all the latest stable versions of all software, so I'm hoping 
> that it's no longer vulnerable, but I can't seem to determine 
> what kind of attack was being used.
> Thoughts?
> -- Bill Moran Potential Technologies 
> _______________________________________________ 
> freebsd-questions at mailing list 
> To 
> unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at"

 	|    Peter Ulrich Kruppa    |
         |         Wuppertal         |
         |          Germany          |

More information about the freebsd-questions mailing list