Interestingly enough, there are entries in my syslog along the following: sshd[253]: syslogin_perform_logout: logout() returned an error
There appear to be one of these for every logout action taken by a user... This is strange. Could this maybe produce starvation of a resource indicating when / which users are logged in if it creates a host of undead not-quite-logged-in users? (really sounds like I'm grasping for straws. Sigh) --Andrew Ruef -----Original Message----- From: Andrew Ruef [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 5:20 PM To: [email protected] Subject: RE: [gentoo-sparc] Interesting incident involving Gentoo hardened linux No... due to piss poor administration and that it's a Gentoo box those md5's don't exist. Although the strange thing is, after sshd has been restarted everything works fine... I think I'm reaching for straws but it was as if sshd wasn't forking a bash shell properly. Users could enter into their shells entry in /proc, it just wasn't being displayed in 'w' or 'ps'.... This just sounds bad the more I think about it. I'm going to try and reproduce the bug, if it can be... --Andrew Ruef -----Original Message----- From: Gary [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 4:50 PM To: [email protected] Subject: Re: [gentoo-sparc] Interesting incident involving Gentoo hardened linux On Wed, 29 Jun 2005, Andrew Ruef wrote: > Took the system down to init 1 and checked it out for any signs of foul > play, found none. No anomalous behavior in the logs, nothing weird that > grsec reported. Nothing in the NIDS logs of the attached system.. Did you do an MD5 comparison between the 'ps' command on your box and a known good binary? That sounds like a trojaned ps binary or something amiss in the kernel. > But still... anyone else seen this behavior? -- [email protected] mailing list -- [email protected] mailing list -- [email protected] mailing list
