Date: Wed, 5 Jan 2005 10:58:28 +0100 (CET) From: Peter Ulrich Kruppa <root@pukruppa.de> To: Bill Moran <wmoran@potentialtech.com> Cc: questions@freebsd.org Subject: Re: Someone trying to break in. Message-ID: <20050105105340.C98674@pukruppa.net> In-Reply-To: <20050104100639.6f01c87a.wmoran@potentialtech.com> References: <20050104100639.6f01c87a.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Jan 2005, Bill Moran wrote: > > Over the holiday I replaced a server that appeared to have been > cracked. Basically built a replacement with the same services > in a sandbox, then swapped it with the old one. > > The new server seems to be secure, as we're not seeing the spam > coming off it that the old one was generating, however, I'm > seeing a lot of messages in the log files. For example: > > Jan 4 07:15:13 mail su: _secure_path: cannot stat > /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 > mail su: _secure_path: cannot stat > /usr/sbin/nologin/.login_conf: Not a directory Perhaps you just mixed up some (pseudo-)user's entry for /etc/master.passwd ? Instead of ...:/nonexistent:/sbin/nologin you set ...:/sbin/nologin:/nonexistent ??? Just a guess, Uli. > > On the one hand, I'm taking this to mean that whatever > technique was previously being used to control the box is no > longer working, but I'm wondering if anyone has an idea as to > what the technique actually was? I want to see if I can lock it > down even further, based on the specific exploit that is being > attempted here. > > Anyone seen these errors before, and have any clue as to what > exploit is going on? The previous machine was very outdated, > so I'm assuming it was a known exploit in the mail system > (postfix) or Neomail or something else. The new machine has > all the latest stable versions of all software, so I'm hoping > that it's no longer vulnerable, but I can't seem to determine > what kind of attack was being used. > > Thoughts? > > -- Bill Moran Potential Technologies > http://www.potentialtech.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > +---------------------------+ | Peter Ulrich Kruppa | | Wuppertal | | Germany | +---------------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050105105340.C98674>