Someone trying to break in.
Bill Moran
wmoran at potentialtech.com
Fri Jan 7 11:56:04 PST 2005
Sergey Zaharchenko <doublef at tele-kom.ru> wrote:
> On Tue, Jan 04, 2005 at 10:06:39AM -0500,
> Bill Moran probably wrote:
> >
> > Over the holiday I replaced a server that appeared to have been cracked.
> > Basically built a replacement with the same services in a sandbox, then
> > swapped it with the old one.
> >
> > The new server seems to be secure, as we're not seeing the spam coming
> > off it that the old one was generating, however, I'm seeing a lot of
> > messages in the log files. For example:
> >
> > Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory
>
> It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and
> that someone is trying to su. /usr/sbin/nologin can't be a home
> directory, it must be the shell for some user who isn't supposed to log
> in. /nonexistent should be the home directory. It looks possible that
> your password file specifies /usr/sbin/nologin as a home directory and a
> valid shell for some system user. Maybe you omitted or added an extra
> `:'? Just a guess,
Thanks for the input, Sergey. That's certainly what's happening. For
some reason, certain user records are awry.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-questions
mailing list