Date: Wed, 19 Jul 2006 11:19:21 +0100 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN Message-ID: <44BE0729.2090607@dial.pipex.com> In-Reply-To: <200607190238.k6J2cI45005013@himinbjorg.tucs-beachin-obx-house.com> References: <200607190238.k6J2cI45005013@himinbjorg.tucs-beachin-obx-house.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tuc at T-B-O-H.NET wrote: >>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN >>> >>> Something running *as* root is trying to "su" to an account which has /bin/nologin as a shell e.g. # su avahi cartman nologin: Attempted login by alex on /dev/ttyp7 avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin If it were running detached from a terminal (in the background; started from an rc script) then it would have no terminal to report, hence UNKNOWN. Tracking down what, is another matter. ps uagx and kill processes one by one until the message stops! Or try ktracing suspects for a less drastic approach. --Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BE0729.2090607>