From owner-freebsd-security Fri Feb 23 11: 9: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 89F1E37B4EC for ; Fri, 23 Feb 2001 11:08:59 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 18789 invoked by alias); 23 Feb 2001 19:07:51 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 23 Feb 2001 19:07:51 -0000 Message-ID: <000d01c09dcc$4504b700$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: , "slamdunk" References: <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223113706.00cedb10@pop3.neophile.net> <200102231146.IAA94132@ns1.via-net-works.net.ar> <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> Subject: Re: weird login attempt Date: Fri, 23 Feb 2001 14:10:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org if someone tried to telnet in, and at the password prompt, they just pressed some keys and of course in telnet, before the session termcap is established, all "funky" keys such as the arrows and the function keys will return escape sequences, and then if they used ^] (or the escape sequence), and then quit, you'd get that. I can replicate that easily. since almost all my logins are via ssh, sshd will report this, but if it happens to be a telnet session, login will report this. ----- Original Message ----- From: "slamdunk" To: Sent: Friday, February 23, 2001 1:55 PM Subject: Re: weird login attempt > Nope it wont be either of these - The box is in a locked cabinet in our > datacenter. > > Ah well, seems this will remain a mystery > > Jerry > > At 13:48 23/02/2001 +0200, you wrote: > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > En un mensaje anterior, slamdunk escribio: > > > > Can anyone identify what this might be? > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > ^[[S^[[J^[[J^[[J^[[~^[ > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > >around the numeric keypad. > > > >G'luck, > >Peter > > > >-- > >If you think this sentence is confusing, then change one pig. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message