From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 09:56:27 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68CEA16A4CE for ; Wed, 5 Jan 2005 09:56:27 +0000 (GMT) Received: from dsl-mail.kamp.net (mail.kamp-dsl.de [195.62.99.42]) by mx1.FreeBSD.org (Postfix) with SMTP id 2E04B43D45 for ; Wed, 5 Jan 2005 09:56:25 +0000 (GMT) (envelope-from root@pukruppa.de) Received: (qmail 22867 invoked by uid 513); 5 Jan 2005 09:56:26 -0000 Received: from 213.146.114.24 by dsl-mail (envelope-from , uid 89) with qmail-scanner-1.24 (clamdscan: 0.80/609. spamassassin: 2.60. Clear:RC:1(213.146.114.24):SA:0(2.0/5.0):. Processed in 0.36132 secs); 05 Jan 2005 09:56:26 -0000 X-Spam-Status: No, hits=2.0 required=5.0 X-Spam-Level: ++ Received: from reverse-213-146-114-24.dialin.kamp-dsl.de (213.146.114.24) by dsl-mail.kamp.net with SMTP; 5 Jan 2005 09:56:26 -0000 Date: Wed, 5 Jan 2005 10:58:28 +0100 (CET) From: Peter Ulrich Kruppa X-X-Sender: root@pukruppa.net To: Bill Moran In-Reply-To: <20050104100639.6f01c87a.wmoran@potentialtech.com> Message-ID: <20050105105340.C98674@pukruppa.net> References: <20050104100639.6f01c87a.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: questions@freebsd.org Subject: Re: Someone trying to break in. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2005 09:56:27 -0000 On Tue, 4 Jan 2005, Bill Moran wrote: > > Over the holiday I replaced a server that appeared to have been > cracked. Basically built a replacement with the same services > in a sandbox, then swapped it with the old one. > > The new server seems to be secure, as we're not seeing the spam > coming off it that the old one was generating, however, I'm > seeing a lot of messages in the log files. For example: > > Jan 4 07:15:13 mail su: _secure_path: cannot stat > /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 > mail su: _secure_path: cannot stat > /usr/sbin/nologin/.login_conf: Not a directory Perhaps you just mixed up some (pseudo-)user's entry for /etc/master.passwd ? Instead of ...:/nonexistent:/sbin/nologin you set ...:/sbin/nologin:/nonexistent ??? Just a guess, Uli. > > On the one hand, I'm taking this to mean that whatever > technique was previously being used to control the box is no > longer working, but I'm wondering if anyone has an idea as to > what the technique actually was? I want to see if I can lock it > down even further, based on the specific exploit that is being > attempted here. > > Anyone seen these errors before, and have any clue as to what > exploit is going on? The previous machine was very outdated, > so I'm assuming it was a known exploit in the mail system > (postfix) or Neomail or something else. The new machine has > all the latest stable versions of all software, so I'm hoping > that it's no longer vulnerable, but I can't seem to determine > what kind of attack was being used. > > Thoughts? > > -- Bill Moran Potential Technologies > http://www.potentialtech.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > +---------------------------+ | Peter Ulrich Kruppa | | Wuppertal | | Germany | +---------------------------+