From owner-freebsd-questions@FreeBSD.ORG Tue Jan 4 15:06:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 534EC16A4CE for ; Tue, 4 Jan 2005 15:06:48 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id C290E43D2D for ; Tue, 4 Jan 2005 15:06:41 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id DD5B769A3F for ; Tue, 4 Jan 2005 10:06:40 -0500 (EST) Date: Tue, 4 Jan 2005 10:06:39 -0500 From: Bill Moran To: questions@freebsd.org Message-Id: <20050104100639.6f01c87a.wmoran@potentialtech.com> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Someone trying to break in. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2005 15:06:48 -0000 Over the holiday I replaced a server that appeared to have been cracked. Basically built a replacement with the same services in a sandbox, then swapped it with the old one. The new server seems to be secure, as we're not seeing the spam coming off it that the old one was generating, however, I'm seeing a lot of messages in the log files. For example: Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory On the one hand, I'm taking this to mean that whatever technique was previously being used to control the box is no longer working, but I'm wondering if anyone has an idea as to what the technique actually was? I want to see if I can lock it down even further, based on the specific exploit that is being attempted here. Anyone seen these errors before, and have any clue as to what exploit is going on? The previous machine was very outdated, so I'm assuming it was a known exploit in the mail system (postfix) or Neomail or something else. The new machine has all the latest stable versions of all software, so I'm hoping that it's no longer vulnerable, but I can't seem to determine what kind of attack was being used. Thoughts? -- Bill Moran Potential Technologies http://www.potentialtech.com