Date: Tue, 5 Feb 2002 10:05:02 -0800 From: Alfred Perlstein <bright@mu.org> To: Victor Grey <victor@customdynamic.net> Cc: freebsd-security@freebsd.org Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020205100502.D59017@elvis.mu.org> In-Reply-To: <B8855B65.70FE%victor@customdynamic.net>; from victor@customdynamic.net on Tue, Feb 05, 2002 at 09:50:30AM -0800 References: <B8855B65.70FE%victor@customdynamic.net>
next in thread | previous in thread | raw e-mail | index | archive | help
* Victor Grey <victor@customdynamic.net> [020205 09:53] wrote: > I have a server co-located at a data center, running FreeBSD 4.4 release. > According to /var/log/messages it rebooted itself at one minute before > midnight the night before last, and then (I think that's what the lines in > messages mean) discovered a mouse attached as it booted up. Then at 43 > minutes past midnight there were six login failures, three as root. (Running > tripwire yesterday morning showed nothing suspicious.) > > Well - there shouldn't be any mouse attached, it's a headless server. > Furthermore, if I understand it correctly, a login failure at ttyv0 means it > happened at the local console -- not a remote break-in attempt over the > network. [snip] Sure looks like someone was trying something, most likely a result of incompetance rather than malice. When I was managing servers for a company that used a colo the NOC people were pretty bad, multiple times after requesting assistance in our cage I'd get a callback from the NOC people who would be in the wrong cage: "Hi this is <name> from <foo> services, I'm in your cage." "Ok *grumble* (only took 20 minutes) *grumble*, I need you to power cycle the red server." "Which red server?" "What do you mean which? We only have one, it's fire engine red, you can't miss it!" "They're all red!" "Uh, what cage are you in?" "Cage 57." "Ok, that's our cage... ummm.. hmmm.. oh! What building are you in?" "Building 2" (we happen to actually be located in building 3) "OH!!! I just remebered, we got those delievered on saturday, they weren't supposed to be powered on yet and they're stealing our main server's IP address!" "Oh, what do I do?" "Well I need you to remove the power cables from all the boxes." "All five hundred of them?" "YES! and call me back when you're done." "Ok" *click* (actually I told him he was in the wrong building and my server was eventually brough back into service, it just took about 45 minutes longer than it should have.) -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020205100502.D59017>