From owner-freebsd-questions@FreeBSD.ORG  Sat Nov 15 08:03:04 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B066C1065672
	for <freebsd-questions@freebsd.org>;
	Sat, 15 Nov 2008 08:03:02 +0000 (UTC)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from wojtek.tensor.gdynia.pl (wojtek.tensor.gdynia.pl
	[IPv6:2001:4070:101:2::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 18DEA8FC16
	for <freebsd-questions@freebsd.org>;
	Sat, 15 Nov 2008 08:03:01 +0000 (UTC)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from wojtek.tensor.gdynia.pl (localhost [IPv6:::1])
	by wojtek.tensor.gdynia.pl (8.14.3/8.14.2) with ESMTP id mAF82tum019874;
	Sat, 15 Nov 2008 09:02:55 +0100 (CET)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Received: from localhost (wojtek@localhost)
	by wojtek.tensor.gdynia.pl (8.14.3/8.14.2/Submit) with ESMTP id
	mAF82rwV019871; Sat, 15 Nov 2008 09:02:55 +0100 (CET)
	(envelope-from wojtek@wojtek.tensor.gdynia.pl)
Date: Sat, 15 Nov 2008 09:02:53 +0100 (CET)
From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>
To: Lisa Casey <lisa@jellico.com>
In-Reply-To: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome>
Message-ID: <20081115090130.X19870@wojtek.tensor.gdynia.pl>
References: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-questions@freebsd.org
Subject: Re: Question about entry in auth.log
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2008 08:03:04 -0000

> Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for 
> michael from 89.123.165.3 po
> rt 55185 ssh2
>
> There is a user michael on the system, but whoever was doing this was not 
> him.
>
> I am assuming someone tried to break in using a valid username (michael) but 
> with an incorrect password.

it was VALID password. he successfully logged


change password now, look what the intruder messed and tell michael to be 
care more about his password next time.

if intruder wasn't very smart, he may not deleted .history, look what 
he/she did.