nologin: Attempted login by root on UNKNOWN
Alex Zbyslaw
xfb52 at dial.pipex.com
Wed Jul 19 10:19:24 UTC 2006
Tuc at T-B-O-H.NET wrote:
>>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
>>>
>>>
Something running *as* root is trying to "su" to an account which has
/bin/nologin as a shell
e.g. # su avahi
cartman nologin: Attempted login by alex on /dev/ttyp7
avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin
If it were running detached from a terminal (in the background; started
from an rc script) then it would have no terminal to report, hence UNKNOWN.
Tracking down what, is another matter. ps uagx and kill processes one
by one until the message stops! Or try ktracing suspects for a less
drastic approach.
--Alex
More information about the freebsd-questions
mailing list