nologin: Attempted login by root on UNKNOWN
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Wed Jul 19 17:27:44 UTC 2006
>
> Tuc at T-B-O-H.NET wrote:
>
> >>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
> >>>
> >>>
> Something running *as* root is trying to "su" to an account which has
> /bin/nologin as a shell
>
> e.g. # su avahi
>
> cartman nologin: Attempted login by alex on /dev/ttyp7
>
> avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin
>
Thats what I was thinking...
>
> If it were running detached from a terminal (in the background; started
> from an rc script) then it would have no terminal to report, hence UNKNOWN.
>
Makes sense. :)
>
> Tracking down what, is another matter. ps uagx and kill processes one
> by one until the message stops! Or try ktracing suspects for a less
> drastic approach.
>
I'm pretty sure it has to do with my sendmail. Why all of a sudden
its done this I'm not sure. I shut down sendmail for an hour and the messages
stopped. When I started it back up, it started again. I'm running :
sendmail / procmail / SpamAssassin
If I was to ktrace sendmail, what would I be looking for? What
options do I pass to it to get all the sub processes?
Thanks, Tuc
More information about the freebsd-questions
mailing list