From owner-freebsd-security Tue Feb 5 9:50:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from ca.astound.net (ca.astound.net [64.85.239.2]) by hub.freebsd.org (Postfix) with ESMTP id CD91437B41E for ; Tue, 5 Feb 2002 09:50:36 -0800 (PST) Received: from [192.168.1.2] (astound-64-85-230-199.ca.astound.net [64.85.230.199]) by ca.astound.net (8.12.1/8.12.1) with ESMTP id g15Hpajv004667 for ; Tue, 5 Feb 2002 09:51:36 -0800 (PST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Tue, 05 Feb 2002 09:50:30 -0800 Subject: Is this evidence of a break-in attempt? From: Victor Grey To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a server co-located at a data center, running FreeBSD 4.4 release. According to /var/log/messages it rebooted itself at one minute before midnight the night before last, and then (I think that's what the lines in messages mean) discovered a mouse attached as it booted up. Then at 43 minutes past midnight there were six login failures, three as root. (Running tripwire yesterday morning showed nothing suspicious.) Well - there shouldn't be any mouse attached, it's a headless server. Furthermore, if I understand it correctly, a login failure at ttyv0 means it happened at the local console -- not a remote break-in attempt over the network. The data center personnel swear there was no one in there last night. Can someone verify for me that I am interpreting the log correctly before I pursue it further with them? Specifically, is there any way for the log to show a login failure at ttyv0 if no keyboard or mouse is attached to the machine? Or any other insights/things I should look at? Here are the relevant lines from /var/log/messages: ----------------------------- Feb 3 23:56:20 p2 syslogd: exiting on signal 15 Feb 3 23:58:59 p2 /kernel: FreeBSD 4.4-RELEASE-p2 #0: Wed Dec 26 12:01:30 PST 2001 Feb 3 23:59:00 p2 /kernel: psm0: irq 12 on atkbdc0 Feb 3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0 Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0 Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root ----------------------------- Thanks, Victor Grey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message