Question about entry in auth.log

Jeremy Chadwick koitsu at
Sat Nov 15 00:17:26 PST 2008

On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote:
> On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
> > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever  
> > been there. I got rid of the michael account (it wasn't used anyway), and 
> > downloaded a new copy of chkrootkit, installed it and ran it along with  
> > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless  
> > enough prank? Anything else I ought to look at? Fortunately the michael  
> > account did not have te ability to su to root.
> The individual in Romania *was not* able to log in as michael.  The

Correction: the individual **WAS** able to log in as michael.  I missed
the part of the message that said "Accepted" at the front.  Sorry for
confusing you, I've had a very rough week and my brain is not

What Wojciech said is correct -- change the password on the account.

Also keep in mind that the user may not have actually logged in and
gotten a shell; the message you see can also happen if the individual
simply scp'd something (e.g. no shell spawned).

| Jeremy Chadwick                                jdc at |
| Parodius Networking              |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list