From owner-freebsd-security Fri Feb 23 16:26: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.189.91]) by hub.freebsd.org (Postfix) with ESMTP id 96D4937B401 for ; Fri, 23 Feb 2001 16:25:53 -0800 (PST) (envelope-from dima@sivka.rdy.com) Received: from sivka.rdy.com (sivka.rdy.com [206.184.209.131]) by burka.rdy.com (8.9.3/8.9.3) with ESMTP id QAA08011 for ; Fri, 23 Feb 2001 16:25:53 -0800 (PST) (envelope-from dima@sivka.rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.11.2/8.11.2) id f1NK5jA07079; Fri, 23 Feb 2001 12:05:45 -0800 (PST) (envelope-from dima) Date: Fri, 23 Feb 2001 12:05:45 -0800 From: Dima Ruban To: "tjk@tksoft.com" Cc: slamdunk , freebsd-security@FreeBSD.ORG Subject: Re: weird login attempt Message-ID: <20010223120545.A7058@sivka.rdy.com> References: <4.3.2.7.2.20010223185401.02aad2c0@pop3.neophile.net> <200102231833.KAA16516@uno.tksoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102231833.KAA16516@uno.tksoft.com>; from tjk@tksoft.com on Fri, Feb 23, 2001 at 10:33:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look at the logs. www is the name of the machine, not the user name. On Fri, Feb 23, 2001 at 10:33:04AM -0800, tjk@tksoft.com wrote: > Jerry, > > Since the user is www, is it possible that the login > was attempted through the web server? I.e. do you have > your web server running under the username www? > > One theoretical possibility would be that someone > was able to execute a cgi which tried to login > to the system. > > The ttyv0 indicates a local login, not a networked > (pseudo tty) login. If the cgi exec'ed code which > attached to ttyv0, then this would seem consistent. > > Might be a good idea to see your web access logs for > that particular moment in time and see if some cgi > was called just then. > > > Troy > > > > > Nope it wont be either of these - The box is in a locked cabinet in our > > datacenter. > > > > Ah well, seems this will remain a mystery > > > > Jerry > > > > At 13:48 23/02/2001 +0200, you wrote: > > >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote: > > > > En un mensaje anterior, slamdunk escribio: > > > > > Can anyone identify what this might be? > > > > > > > > Somebody laying its hand over the keyboard :) > > > > > > > > > > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0 > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0, > > > ^[[S^[[J^[[J^[[J^[[~^[ > > > > > >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something > > >around the numeric keypad. > > > > > >G'luck, > > >Peter > > > > > >-- > > >If you think this sentence is confusing, then change one pig. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message