Daily security report oddity...

Kurt Buff kurt.buff at gmail.com
Tue Sep 1 22:56:32 UTC 2009

I got a daily security run email from one of my machines on Monday
morning, with the following entry:

     zmx1.zetron.com login failures:
     Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev/ttyp2
     Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev/ttyp0

What's puzzling is that this account has been completely inactive for
well over a year - this fellow is long gone, and I simply didn't clean
it up - that's my bad, but that's not the puzzling part.

I traced it down, and found out that he had not logged in on Sunday.
The auth.log is, as you can see from the listing below, quite old. The
entries referenced above are from two years ago.

	zmx1# ll /var/log/a*
	-rw-------  1 root  wheel  71845 Sep  1 15:42 /var/log/auth.log
	-rw-------  1 root  wheel   6087 Aug 29  2007 /var/log/auth.log.0.bz2
	-rw-------  1 root  wheel   5774 Aug 12  2007 /var/log/auth.log.1.bz2
	-rw-------  1 root  wheel   5795 Jul 24  2007 /var/log/auth.log.2.bz2
	-rw-------  1 root  wheel   6813 Jul  6  2007 /var/log/auth.log.3.bz2

So, a couple of questions:

Why would the daily security run pick up something from *two years
ago* and only report it again today? The machine hasn't been rebooted
in a very long time, if that makes a difference.

Is there any way to prevent something like this happening again - or
perhaps can I force the entry of the year into the date field for the
auth.log entries?


More information about the freebsd-questions mailing list