From owner-freebsd-questions@FreeBSD.ORG Tue Sep 1 22:56:32 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3F0F106568F for ; Tue, 1 Sep 2009 22:56:32 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-ew0-f208.google.com (mail-ew0-f208.google.com [209.85.219.208]) by mx1.freebsd.org (Postfix) with ESMTP id 50C968FC22 for ; Tue, 1 Sep 2009 22:56:31 +0000 (UTC) Received: by ewy4 with SMTP id 4so312176ewy.36 for ; Tue, 01 Sep 2009 15:56:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=2PkE476WaXsxw/4lliabSNcmQ1/lZT6zDP64+ddvEXY=; b=bmEJ6lGpDZKLfFWJYHv8c28f4oEPCb0RmdETVgbyZtdisNABWtplkVZxf1enzG8tqt L+5S3NeGGUn53f2NaNbd3bbTG2aol8y/5FCAZb0VH8J5ZskvG+NoPqL9o8O1AksHuETT FtSlI65gDgH5AlCsQd8OnVnljEIcIorbgNozM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=RJ91OsM4S6zSowjOTQSW3ibxIK1f9N4Hi42d/TkpPSengpwWS79blVWGL5VjfLcZ4S 64IKjCyJTSlqpiZSZswLweo8yzCzGV49JXxM1QgMCysv0N2uFTZ4sAliNjM3SDzBPMDv 39IubkoPVymw1Br8ZSldxYXeq0ZYaR9a/OBjs= MIME-Version: 1.0 Received: by 10.210.7.16 with SMTP id 16mr7973504ebg.14.1251845790772; Tue, 01 Sep 2009 15:56:30 -0700 (PDT) Date: Tue, 1 Sep 2009 15:56:30 -0700 Message-ID: From: Kurt Buff To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Daily security report oddity... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2009 22:56:32 -0000 I got a daily security run email from one of my machines on Monday morning, with the following entry: zmx1.zetron.com login failures: Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev/ttyp2 Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev/ttyp0 What's puzzling is that this account has been completely inactive for well over a year - this fellow is long gone, and I simply didn't clean it up - that's my bad, but that's not the puzzling part. I traced it down, and found out that he had not logged in on Sunday. The auth.log is, as you can see from the listing below, quite old. The entries referenced above are from two years ago. zmx1# ll /var/log/a* -rw------- 1 root wheel 71845 Sep 1 15:42 /var/log/auth.log -rw------- 1 root wheel 6087 Aug 29 2007 /var/log/auth.log.0.bz2 -rw------- 1 root wheel 5774 Aug 12 2007 /var/log/auth.log.1.bz2 -rw------- 1 root wheel 5795 Jul 24 2007 /var/log/auth.log.2.bz2 -rw------- 1 root wheel 6813 Jul 6 2007 /var/log/auth.log.3.bz2 So, a couple of questions: Why would the daily security run pick up something from *two years ago* and only report it again today? The machine hasn't been rebooted in a very long time, if that makes a difference. Is there any way to prevent something like this happening again - or perhaps can I force the entry of the year into the date field for the auth.log entries? Kurt