nologin: Attempted login by root on UNKNOWN

Alex Zbyslaw xfb52 at dial.pipex.com
Wed Jul 19 10:19:24 UTC 2006


Tuc at T-B-O-H.NET wrote:

>>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
>>>      
>>>
Something running *as* root is trying to "su" to an account which has 
/bin/nologin as a shell

e.g. # su avahi

cartman nologin: Attempted login by alex on /dev/ttyp7

avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin


If it were running detached from a terminal (in the background; started 
from an rc script) then it would have no terminal to report, hence UNKNOWN.

Tracking down what, is another matter.  ps uagx and kill processes one 
by one until the message stops!  Or try ktracing suspects for a less 
drastic approach.

--Alex




More information about the freebsd-questions mailing list