From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 08:17:26 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E1231065674 for ; Sat, 15 Nov 2008 08:17:26 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [76.96.30.16]) by mx1.freebsd.org (Postfix) with ESMTP id 127BA8FC0A for ; Sat, 15 Nov 2008 08:17:26 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA02.emeryville.ca.mail.comcast.net ([76.96.30.19]) by QMTA01.emeryville.ca.mail.comcast.net with comcast id fL3a1a0050QkzPwA1LHRmk; Sat, 15 Nov 2008 08:17:26 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA02.emeryville.ca.mail.comcast.net with comcast id fLHP1a0042P6wsM8NLHQMd; Sat, 15 Nov 2008 08:17:25 +0000 X-Authority-Analysis: ?? Received: by icarus.home.lan (Postfix, from userid 1000) id D69C433C36; Sat, 15 Nov 2008 00:17:23 -0800 (PST) Date: Sat, 15 Nov 2008 00:17:23 -0800 From: Jeremy Chadwick To: Lisa Casey Message-ID: <20081115081723.GA66941@icarus.home.lan> References: <692726B5-52B5-46AC-9C79-41553179AF36@comcast.net> <20081114215444.C8966@mail.jellico.com> <20081115073714.GA66093@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081115073714.GA66093@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2008 08:17:26 -0000 On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote: > On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: > > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever > > been there. I got rid of the michael account (it wasn't used anyway), and > > downloaded a new copy of chkrootkit, installed it and ran it along with > > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless > > enough prank? Anything else I ought to look at? Fortunately the michael > > account did not have te ability to su to root. > > The individual in Romania *was not* able to log in as michael. The Correction: the individual **WAS** able to log in as michael. I missed the part of the message that said "Accepted" at the front. Sorry for confusing you, I've had a very rough week and my brain is not functioning. What Wojciech said is correct -- change the password on the account. Also keep in mind that the user may not have actually logged in and gotten a shell; the message you see can also happen if the individual simply scp'd something (e.g. no shell spawned). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |