Date: Thu, 05 Sep 2002 09:36:42 -0500 From: "J.D. Bronson" <lists@xpec.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: security run question.. Message-ID: <5.1.1.6.2.20020905093337.00b0c0f0@localhost> In-Reply-To: <20020905114545.GB32849@happy-idiot-talk.infracaninophi> References: <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com> <5.1.1.6.2.20020905055017.00b4d338@molson.wixb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:45 AM 9/5/2002, Matthew Seaman wrote: >On Thu, Sep 05, 2002 at 05:51:16AM -0500, J.D. Bronson wrote: > > I noticed this in my daily security run. > > Is a user trying to do something bad here? > > > > > > > Sep 5 05:21:20 molson -zsh: /etc/pwd.db: Permission denied > > > Sep 5 05:21:25 molson ls: /etc/pwd.db: Permission denied > > > Sep 5 05:21:43 molson ls: /etc/pwd.db: Permission denied > > > Sep 5 05:23:11 molson -zsh: /etc/pwd.db: Permission denied > > > Sep 5 05:23:14 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 05:23:51 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 05:24:34 molson vi: /etc/pwd.db: Permission denied > > > Sep 5 05:24:45 molson sendmail[999]: NOQUEUE: SYSERR(UID110): > > /etc/mail/sendmail.cf: line 0: cannot open: Permission denied > > > Sep 5 05:25:04 molson mutt: /etc/pwd.db: Permission denied > > > Sep 5 08:01:00 molson uustat: /etc/pwd.db: Permission denied > >Yup. That's some user attempting unauthorised access to the password >database (Bad user! No biscuit!). Doesn't look like a very >sophisticated attack, and nothing shown in your message indicates that >the they actually got anywhere. > >However, as a conscientious and appropriately paranoid sysadmin you >should now be in full alert mode, hunting around the system for >evidence of breakins and trying to trace the identity of the person >who did that. I'd also immediately lock out the affected account and >probably be looking to completely delete it --- even if the nominal >user of the account had no connection to the attempted break-in they >may still have been negligent about keeping their access credentials >(password, ssh keys, etc.) properly secured. This story seems to have an ending. I talked with the individual and he claims he was not home or at work at the time...thus leading me to belive that his ssh key was compromised. I only allow ssh and only with keys. Not even password or password fallback. I pulled access due to his negligence. He complained. TOO BAD. Now I have to reload this machine. There are more and more things I keep finding..even the time is now GMT instead of my normal time zone. Dam. -- J.D. Bronson Aurora Health Care // Information Systems // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.603.8282 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.2.20020905093337.00b0c0f0>