Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Feb 2001 10:33:04 -0800 (PST)
From:      "tjk@tksoft.com" <tjk@tksoft.com>
To:        slamdunk@neophile.net (slamdunk)
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: weird login attempt
Message-ID:  <200102231833.KAA16516@uno.tksoft.com>
In-Reply-To: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> from "slamdunk" at Feb 23, 2001 06:55:13 PM
next in thread | previous in thread | raw e-mail | index | archive | help 
Jerry,

Since the user is www, is it possible that the login
was attempted through the web server? I.e. do you have
your web server running under the username www?

One theoretical possibility would be that someone
was able to execute a cgi which tried to login
to the system.

The ttyv0 indicates a local login, not a networked
(pseudo tty) login. If the cgi exec'ed code which
attached to ttyv0, then this would seem consistent.

Might be a good idea to see your web access logs for
that particular moment in time and see if some cgi
was called just then.


Troy

> 
> Nope it wont be either of these - The box is in a locked cabinet in our 
> datacenter.
> 
> Ah well, seems this will remain a mystery
> 
> Jerry
> 
> At 13:48 23/02/2001 +0200, you wrote:
> >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote:
> > > En un mensaje anterior, slamdunk escribio:
> > > > Can anyone identify what this might be?
> > >
> > > Somebody laying its hand over the keyboard :)
> > >
> > > >
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, 
> > ^[[S^[[J^[[J^[[J^[[~^[
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, 
> > ^[[S^[[J^[[J^[[J^[[~^[
> >
> >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something
> >around the numeric keypad.
> >
> >G'luck,
> >Peter
> >
> >--
> >If you think this sentence is confusing, then change one pig.
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102231833.KAA16516>