Date: Fri, 23 Feb 2001 12:05:45 -0800 From: Dima Ruban <dima@rdy.com> To: "tjk@tksoft.com" <tjk@tksoft.com> Cc: slamdunk <slamdunk@neophile.net>, freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Message-ID: <20010223120545.A7058@sivka.rdy.com> In-Reply-To: <200102231833.KAA16516@uno.tksoft.com>; from tjk@tksoft.com on Fri, Feb 23, 2001 at 10:33:04AM -0800 References: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> <200102231833.KAA16516@uno.tksoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Look at the logs. www is the name of the machine, not the user name. On Fri, Feb 23, 2001 at 10:33:04AM -0800, tjk@tksoft.com wrote: > Jerry, > > Since the user is www, is it possible that the login > was attempted through the web server? I.e. do you have > your web server running under the username www? > > One theoretical possibility would be that someone > was able to execute a cgi which tried to login > to the system. > > The ttyv0 indicates a local login, not a networked > (pseudo tty) login. If the cgi exec'ed code which > attached to ttyv0, then this would seem consistent. > > Might be a good idea to see your web access logs for > that particular moment in time and see if some cgi > was called just then. > > > Troy > > > > > Nope it wont be either of these - The box is in a locked cabinet in our > > datacenter. > > > > Ah well, seems this will remain a mystery > > > > Jerry > > > > At 13:48 23/02/2001 +0200, you wrote: > > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > > En un mensaje anterior, slamdunk escribio: > > > > > Can anyone identify what this might be? > > > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > > >around the numeric keypad. > > > > > >G'luck, > > >Peter > > > > > >-- > > >If you think this sentence is confusing, then change one pig. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010223120545.A7058>