From owner-freebsd-questions Thu Sep 5 5:33:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 138D537B400 for ; Thu, 5 Sep 2002 05:33:30 -0700 (PDT) Received: from mail.thundernet.cz (mail.thundernet.cz [62.77.87.114]) by mx1.FreeBSD.org (Postfix) with SMTP id 99D3843E6A for ; Thu, 5 Sep 2002 05:33:20 -0700 (PDT) (envelope-from neuhauser@bellavista.cz) Received: (qmail 4405 invoked from network); 5 Sep 2002 12:33:03 -0000 Received: from unknown (HELO freepuppy.bellavista.cz) (62.168.44.50) by mail.thundernet.cz with SMTP; 5 Sep 2002 12:33:03 -0000 Received: by freepuppy.bellavista.cz (Postfix, from userid 1001) id B7951E4; Thu, 5 Sep 2002 14:32:59 +0200 (CEST) Date: Thu, 5 Sep 2002 14:32:59 +0200 From: Roman Neuhauser To: "J.D. Bronson" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: security run question.. Message-ID: <20020905123259.GJ10717@freepuppy.bellavista.cz> Mail-Followup-To: "J.D. Bronson" , freebsd-questions@FreeBSD.ORG References: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905070254.00b17d40@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.2.20020905070254.00b17d40@localhost> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG # lists@xpec.com / 2002-09-05 07:06:20 -0500: > At 06:45 AM 9/5/2002, Matthew Seaman wrote: > >On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote: > >> I noticed this in my daily security run. > >> Is a user trying to do something bad here? > >> > >> > Sep 5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied > >> > Sep 5 05:21:25 molson ls: /etc/pwd.db: Permission denied > >> > Sep 5 05:21:43 molson ls: /etc/pwd.db: Permission denied > >> > Sep 5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied > >> > Sep 5 05:23:14 molson mutt: /etc/pwd.db: Permission denied > >> > Sep 5 05:23:51 molson mutt: /etc/pwd.db: Permission denied > >> > Sep 5 05:24:34 molson vi: /etc/pwd.db: Permission denied > >> > Sep 5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): /etc/mail/sendmail.cf: line 0: cannot open: Permission denied > >> > Sep 5 05:25:04 molson mutt: /etc/pwd.db: Permission denied > >> > Sep 5 08:01:00 molson uustat: /etc/pwd.db: Permission denied > > > >Yup. That's some user attempting unauthorised access to the password > >database (Bad user! No biscuit!). Doesn't look like a very > >sophisticated attack, and nothing shown in your message indicates that > >the they actually got anywhere. ... > mutt/zsh are used by ONE person and only that person. > I only allow ssh into the machine and it is restricted to 3 IPs via the > firewall (external unit). So unless a binary was hacked into *doubt it*, I > would like to verify this person as the culprit. > > Trouble is that the ssh log shows him logging in at 1am, but then dropping > out. And all of this seemed to happen around 5am? crontab? -- begin 666 nonexistent.vbs FreeBSD 4.6-STABLE 2:30PM up 15 days, 20:23, 10 users, load averages: 0.02, 0.05, 0.00 end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message