Date: Tue, 5 Feb 2002 20:17:28 +0200 From: Yonatan Bokovza <Yonatan@xpert.com> To: 'Alfred Perlstein' <bright@mu.org>, Victor Grey <victor@customdynamic.net> Cc: freebsd-security@freebsd.org Subject: RE: Is this evidence of a break-in attempt? Message-ID: <EB513E68D3F5D41191CA000255588101B4379A@mailserv.xpert.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Alfred Perlstein [mailto:bright@mu.org] > Sent: Tuesday, February 05, 2002 20:05 > To: Victor Grey > Cc: freebsd-security@freebsd.org > Subject: Re: Is this evidence of a break-in attempt? > > > * Victor Grey <victor@customdynamic.net> [020205 09:53] wrote: > > I have a server co-located at a data center, running > FreeBSD 4.4 release. > > According to /var/log/messages it rebooted itself at one > minute before > > midnight the night before last, and then (I think that's > what the lines in > > messages mean) discovered a mouse attached as it booted up. > Then at 43 > > minutes past midnight there were six login failures, three > as root. (Running > > tripwire yesterday morning showed nothing suspicious.) > > > > Well - there shouldn't be any mouse attached, it's a > headless server. > > Furthermore, if I understand it correctly, a login failure > at ttyv0 means it > > happened at the local console -- not a remote break-in > attempt over the > > network. > > [snip] > > Sure looks like someone was trying something, most likely a result <snip> I agree. If you'd include the whole dmesg and the output of find / -atime <number_of_days_since_the_alleged_attack> -ls > "OH!!! I just remebered, we got those delievered on saturday, they > weren't supposed to be powered on yet and they're stealing our main > server's IP address!" > > "Oh, what do I do?" > > "Well I need you to remove the power cables from all the boxes." > > "All five hundred of them?" > > "YES! and call me back when you're done." > > "Ok" *click* Presenting: "Perlstein. Alfred Perlstein! BOFH!!" ;-) Reagrds, Yonatan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB513E68D3F5D41191CA000255588101B4379A>