Date: Wed, 19 Jul 2006 13:27:37 -0400 (EDT) From: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> To: xfb52@dial.pipex.com (Alex Zbyslaw) Cc: freebsd-questions@freebsd.org Subject: Re: nologin: Attempted login by root on UNKNOWN Message-ID: <200607191727.k6JHRbVs027122@himinbjorg.tucs-beachin-obx-house.com> In-Reply-To: <44BE0729.2090607@dial.pipex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Tuc at T-B-O-H.NET wrote: > > >>>Jul 18 14:08:47 asgard nologin: Attempted login by root on UNKNOWN > >>> > >>> > Something running *as* root is trying to "su" to an account which has > /bin/nologin as a shell > > e.g. # su avahi > > cartman nologin: Attempted login by alex on /dev/ttyp7 > > avahi:*:558:558:Avahi Daemon User:/nonexistent:/sbin/nologin > Thats what I was thinking... > > If it were running detached from a terminal (in the background; started > from an rc script) then it would have no terminal to report, hence UNKNOWN. > Makes sense. :) > > Tracking down what, is another matter. ps uagx and kill processes one > by one until the message stops! Or try ktracing suspects for a less > drastic approach. > I'm pretty sure it has to do with my sendmail. Why all of a sudden its done this I'm not sure. I shut down sendmail for an hour and the messages stopped. When I started it back up, it started again. I'm running : sendmail / procmail / SpamAssassin If I was to ktrace sendmail, what would I be looking for? What options do I pass to it to get all the sub processes? Thanks, Tuc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607191727.k6JHRbVs027122>