From owner-freebsd-questions@FreeBSD.ORG Wed Sep 12 13:25:06 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA76716A418 for ; Wed, 12 Sep 2007 13:25:06 +0000 (UTC) (envelope-from admin@aldisa.ca) Received: from aldisa.ca (aldisa.ca [206.248.137.162]) by mx1.freebsd.org (Postfix) with ESMTP id 6A7DA13C45A for ; Wed, 12 Sep 2007 13:25:06 +0000 (UTC) (envelope-from admin@aldisa.ca) Received: from [192.168.1.30] ([206.248.137.162]) (AUTH: LOGIN abid) by aldisa.ca with esmtp; Wed, 12 Sep 2007 09:15:03 -0400 id 0024A82D.46E7E657.000019D3 Received-SPF: none (Address does not pass the Sender Policy Framework) MAILFROM admin@aldisa.ca ( [206.248.137.162]); Message-ID: <46E7E651.4010708@aldisa.ca> Date: Wed, 12 Sep 2007 09:14:57 -0400 From: Aldisa Admin Organization: Aldisa Canada Inc. User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Problem with logs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2007 13:25:06 -0000 Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. The only other opening is a VPN connection between the routers at my office (where the server is) and my home. The subnet in the office is 192.168.1 and at home is 192.168.2 I changed the password on my account after the Sep 8 occurrence. It seems to me that somebody is hacking in, but I can't figure out how and from where. ANY AND ALL HELP WILL BE APPRECIATED. Abid