Date: Wed, 12 Sep 2007 09:14:57 -0400 From: Aldisa Admin <admin@aldisa.ca> To: freebsd-questions@freebsd.org Subject: Problem with logs Message-ID: <46E7E651.4010708@aldisa.ca>
next in thread | raw e-mail | index | archive | help
Hello All, I am having trouble understanding what is going on and how to solve the problem: For the last few days, I am getting the following messages (some names removed for privacy) in the daily security run output: [hostname].ca login failures: Sep 11 10:36:52 server su: BAD SU abid to root on /dev/ttyp0 [hostname].ca login failures: Sep 8 16:56:15 server su: BAD SU abid to root on /dev/ttyp0 I got worried because both these instances are times when I am positive that I am not accessing the system. I am the only user of the system. I use ssh to access the system. Root access is disabled in sshd. I log in using my username (abid) and SU to root when necessary. So I went to check the auth.log, and here is the concerned section: Aug 31 17:01:36 server sshd[67613]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1203 ssh2 Aug 31 17:01:40 server su: abid to root on /dev/ttyp0 Aug 31 18:42:56 server sshd[69386]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1688 ssh2 Aug 31 18:43:01 server su: abid to root on /dev/ttyp0 Aug 31 22:58:28 server sshd[71423]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 2032 ssh2 Aug 31 22:58:32 server su: abid to root on /dev/ttyp0 Sep 9 13:40:55 server sshd[72180]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 4146 ssh2 Sep 9 13:41:00 server su: abid to root on /dev/ttyp0 Sep 9 14:14:09 server sshd[72484]: Accepted keyboard-interactive/pam for abid from 192.168.2.149 port 1116 ssh2 Sep 10 09:04:41 server sshd[81232]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2599 ssh2 Sep 10 09:04:47 server su: abid to root on /dev/ttyp0 Sep 11 11:37:10 server sshd[94789]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 1361 ssh2 Sep 11 11:37:15 server su: abid to root on /dev/ttyp0 Sep 12 08:41:46 server sshd[6247]: Accepted keyboard-interactive/pam for abid from 192.168.1.30 port 2521 ssh2 Sep 12 08:41:53 server su: abid to root on /dev/ttyp0 As you can see, there is no matching incidence in the auth.log. How can the security run show a BAD SU when there is no matching entry in the auth.log for somebody authenticating successfully under my username. Some other facts: The machine is behind a NAT router and only apache and email ports (25, 80, 110, 143, 443, 587) are open. SSH access is restricted to intranet IP ranges. The only other opening is a VPN connection between the routers at my office (where the server is) and my home. The subnet in the office is 192.168.1 and at home is 192.168.2 I changed the password on my account after the Sep 8 occurrence. It seems to me that somebody is hacking in, but I can't figure out how and from where. ANY AND ALL HELP WILL BE APPRECIATED. Abid
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46E7E651.4010708>