Date: Thu, 05 Sep 2002 07:06:20 -0500 From: "J.D. Bronson" <lists@xpec.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: security run question.. Message-ID: <5.1.1.6.2.20020905070254.00b17d40@localhost> In-Reply-To: <20020905114545.GB32849@happy-idiot-talk.infracaninophi> References: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:45 AM 9/5/2002, Matthew Seaman wrote: >On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote: > > I noticed this in my daily security run. > > Is a user trying to do something bad here? > > > > > > > Sep 5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied > > > Sep 5 05:21:25 molson ls: /etc/pwd.db: Permission denied > > > Sep 5 05:21:43 molson ls: /etc/pwd.db: Permission denied > > > Sep 5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied > > > Sep 5 05:23:14 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 05:23:51 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 05:24:34 molson vi: /etc/pwd.db: Permission denied > > > Sep 5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): > > /etc/mail/sendmail.cf: line 0: cannot open: Permission denied > > > Sep 5 05:25:04 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 08:01:00 molson uustat: /etc/pwd.db: Permission denied > >Yup. That's some user attempting unauthorised access to the password >database (Bad user! No biscuit!). Doesn't look like a very >sophisticated attack, and nothing shown in your message indicates that >the they actually got anywhere. > >However, as a conscientious and appropriately paranoid sysadmin you >should now be in full alert mode, hunting around the system for >evidence of breakins and trying to trace the identity of the person >who did that. I'd also immediately lock out the affected account and >probably be looking to completely delete it --- even if the nominal >user of the account had no connection to the attempted break-in they >may still have been negligent about keeping their access credentials >(password, ssh keys, etc.) properly secured. > >Questions C1 and C2 of the CERT/CC FAQ may be of use to you: >http://www.cert.org/faq/cert_faq.html > > Cheers, Well this is interesting....I logged into the machine and did a PS and all the processes listed belonged to numbers of the userIDs and not NAMES like I expect. I then vipw'd, the file looks fine...so then I saved it. Now, the processes show up with usernames and not userIDs anymore. I am trying in vain to see who might have done this. I have some clues... mutt/zsh are used by ONE person and only that person. I only allow ssh into the machine and it is restricted to 3 IPs via the firewall (external unit). So unless a binary was hacked into *doubt it*, I would like to verify this person as the culprit. Trouble is that the ssh log shows him logging in at 1am, but then dropping out. And all of this seemed to happen around 5am? thanks in advance guys. > Matthew > >-- >Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Marlow >Tel: +44 1628 476614 Bucks., SL7 1TH UK > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -- J.D. Bronson Aurora Health Care // Information Systems // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.603.8282 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.2.20020905070254.00b17d40>