Date: Tue, 05 Feb 2002 09:50:30 -0800 From: Victor Grey <victor@customdynamic.net> To: <freebsd-security@freebsd.org> Subject: Is this evidence of a break-in attempt? Message-ID: <B8855B65.70FE%victor@customdynamic.net>
next in thread | raw e-mail | index | archive | help
I have a server co-located at a data center, running FreeBSD 4.4 release. According to /var/log/messages it rebooted itself at one minute before midnight the night before last, and then (I think that's what the lines in messages mean) discovered a mouse attached as it booted up. Then at 43 minutes past midnight there were six login failures, three as root. (Running tripwire yesterday morning showed nothing suspicious.) Well - there shouldn't be any mouse attached, it's a headless server. Furthermore, if I understand it correctly, a login failure at ttyv0 means it happened at the local console -- not a remote break-in attempt over the network. The data center personnel swear there was no one in there last night. Can someone verify for me that I am interpreting the log correctly before I pursue it further with them? Specifically, is there any way for the log to show a login failure at ttyv0 if no keyboard or mouse is attached to the machine? Or any other insights/things I should look at? Here are the relevant lines from /var/log/messages: ----------------------------- Feb 3 23:56:20 p2 syslogd: exiting on signal 15 <snip> Feb 3 23:58:59 p2 /kernel: FreeBSD 4.4-RELEASE-p2 #0: Wed Dec 26 12:01:30 PST 2001 <snip> Feb 3 23:59:00 p2 /kernel: psm0: <PS/2 Mouse> irq 12 on atkbdc0 Feb 3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0 <snip> Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0 Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root ----------------------------- Thanks, Victor Grey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B8855B65.70FE%victor>