From owner-freebsd-security Fri Feb 23 12:36:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.oregonfast.net (mail.oregonfast.net [63.228.228.11]) by hub.freebsd.org (Postfix) with SMTP id 35D7537B401 for ; Fri, 23 Feb 2001 12:36:35 -0800 (PST) (envelope-from daemus@oregonfast.net) Received: (qmail 14007 invoked by uid 89); 23 Feb 2001 20:36:33 -0000 Message-ID: <20010223203633.14006.qmail@mail.oregonfast.net> References: <200102231833.KAA16516@uno.tksoft.com> In-Reply-To: <200102231833.KAA16516@uno.tksoft.com> From: "James" To: freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Date: Fri, 23 Feb 2001 20:36:33 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Sender: daemus@oregonfast.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org www is the short hostname of the box that the logs came from. tjk@tksoft.com writes: > Jerry, > > Since the user is www, is it possible that the login > was attempted through the web server? I.e. do you have > your web server running under the username www? > > One theoretical possibility would be that someone > was able to execute a cgi which tried to login > to the system. > > The ttyv0 indicates a local login, not a networked > (pseudo tty) login. If the cgi exec'ed code which > attached to ttyv0, then this would seem consistent. > > Might be a good idea to see your web access logs for > that particular moment in time and see if some cgi > was called just then. > > > Troy > >> >> Nope it wont be either of these - The box is in a locked cabinet in our >> datacenter. >> >> Ah well, seems this will remain a mystery >> >> Jerry >> >> At 13:48 23/02/2001 +0200, you wrote: >> >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: >> > > En un mensaje anterior, slamdunk escribio: >> > > > Can anyone identify what this might be? >> > > >> > > Somebody laying its hand over the keyboard :) >> > > >> > > > >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, >> > ^[[S^[[J^[[J^[[J^[[~^[ >> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, >> > ^[[S^[[J^[[J^[[J^[[~^[ >> > >> >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something >> >around the numeric keypad. >> > >> >G'luck, >> >Peter >> > >> >-- >> >If you think this sentence is confusing, then change one pig. >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message