From owner-freebsd-questions@FreeBSD.ORG  Fri Jan  7 19:56:04 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 706C716A4CE
	for <questions@freebsd.org>; Fri,  7 Jan 2005 19:56:04 +0000 (GMT)
Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net
	[66.167.251.6])	by mx1.FreeBSD.org (Postfix) with ESMTP id 0D1BB43D1D
	for <questions@freebsd.org>; Fri,  7 Jan 2005 19:56:02 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from working.potentialtech.com
	(pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by internet.potentialtech.com (Postfix) with ESMTP id 1BE4969A42;
	Fri,  7 Jan 2005 14:56:01 -0500 (EST)
Date: Fri, 7 Jan 2005 14:56:00 -0500
From: Bill Moran <wmoran@potentialtech.com>
To: Sergey Zaharchenko <doublef@tele-kom.ru>
Message-Id: <20050107145600.5cc307a3.wmoran@potentialtech.com>
In-Reply-To: <20050105063822.GA1933@shark.localdomain>
References: <20050104100639.6f01c87a.wmoran@potentialtech.com>
	<20050105063822.GA1933@shark.localdomain>
Organization: Potential Technologies
X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd4.10)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: questions@freebsd.org
Subject: Re: Someone trying to break in.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2005 19:56:04 -0000

Sergey Zaharchenko <doublef@tele-kom.ru> wrote:

> On Tue, Jan 04, 2005 at 10:06:39AM -0500,
>  Bill Moran probably wrote:
> > 
> > Over the holiday I replaced a server that appeared to have been cracked.
> > Basically built a replacement with the same services in a sandbox, then
> > swapped it with the old one.
> > 
> > The new server seems to be secure, as we're not seeing the spam coming
> > off it that the old one was generating, however, I'm seeing a lot of
> > messages in the log files.  For example:
> > 
> > Jan  4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory
> 
> It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and
> that someone is trying to su. /usr/sbin/nologin can't be a home
> directory, it must be the shell for some user who isn't supposed to log
> in. /nonexistent should be the home directory. It looks possible that
> your password file specifies /usr/sbin/nologin as a home directory and a
> valid shell for some system user. Maybe you omitted or added an extra
> `:'? Just a guess,

Thanks for the input, Sergey.  That's certainly what's happening.  For
some reason, certain user records are awry.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com