From owner-freebsd-questions@FreeBSD.ORG  Wed Jul 19 10:19:24 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C39A816A4DD
	for <freebsd-questions@freebsd.org>;
	Wed, 19 Jul 2006 10:19:24 +0000 (UTC)
	(envelope-from xfb52@dial.pipex.com)
Received: from smtp-out2.blueyonder.co.uk (smtp-out2.blueyonder.co.uk
	[195.188.213.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E19843D45
	for <freebsd-questions@freebsd.org>;
	Wed, 19 Jul 2006 10:19:23 +0000 (GMT)
	(envelope-from xfb52@dial.pipex.com)
Received: from [172.23.170.137] (helo=anti-virus01-08)
	by smtp-out2.blueyonder.co.uk with smtp (Exim 4.52)
	id 1G399G-00050C-Ca; Wed, 19 Jul 2006 11:19:22 +0100
Received: from [82.41.34.175] (helo=[192.168.0.2])
	by asmtp-out2.blueyonder.co.uk with esmtp (Exim 4.52)
	id 1G399F-0002Wr-Rk; Wed, 19 Jul 2006 11:19:21 +0100
Message-ID: <44BE0729.2090607@dial.pipex.com>
Date: Wed, 19 Jul 2006 11:19:21 +0100
From: Alex Zbyslaw <xfb52@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20060515
X-Accept-Language: en
MIME-Version: 1.0
To: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net>
References: <200607190238.k6J2cI45005013@himinbjorg.tucs-beachin-obx-house.com>
In-Reply-To: <200607190238.k6J2cI45005013@himinbjorg.tucs-beachin-obx-house.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: nologin: Attempted login by root on UNKNOWN
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2006 10:19:24 -0000

Tuc at T-B-O-H.NET wrote:

>>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN
>>>      
>>>
Something running *as* root is trying to "su" to an account which has 
/bin/nologin as a shell

e.g. # su avahi

cartman nologin: Attempted login by alex on /dev/ttyp7

avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin


If it were running detached from a terminal (in the background; started 
from an rc script) then it would have no terminal to report, hence UNKNOWN.

Tracking down what, is another matter.  ps uagx and kill processes one 
by one until the message stops!  Or try ktracing suspects for a less 
drastic approach.

--Alex