Unnamed sources report that Belinda Marchand said:
> Hello everyone,
>
> I ran into an interesting problem last week, it started happening
> out of the blue. At the login prompt, after anyone enters their
> login names, the following message is printed out before the passwd
> prompt:
Looks like you've been hacked. One or more files have been replaced
to allow someone to login. Lock this machine down and reinstall unless
you can identify the changed files and replace them.
> Jan 21 22:58:18 gris311pc1 telnetd[2043]: ttloop: peer died: Success
> Jan 21 22:59:46 gris311pc1 syslog: FAILED LOGIN 2 FROM ww2.vnti.com FOR w, User not
>known to the underlying authentication module
> Jan 21 22:59:50 gris311pc1 syslog: LOGIN ON ttyp7 BY blow FROM ww2.vnti.com
> Jan 21 23:04:53 gris311pc1 syslog: unknown configuration item `PASS_INACTIVE'
> Jan 21 23:04:53 gris311pc1 syslog: unknown configuration item `PASS_EXPIRE'
> Jan 21 23:04:53 gris311pc1 syslog: unknown configuration item `GROUP'
> Jan 21 23:04:53 gris311pc1 syslog: unknown configuration item `HOME'
> Jan 21 23:04:53 gris311pc1 syslog: unknown configuration item `SHELL'
> Jan 21 23:04:53 gris311pc1 syslog: unknown configuration item `SKEL'
>
> I checked the passwd file and, unless this user is something created by linux
> at installation, I surely never created an account on my machine for this
> user.
>
> Does anyone have any ideas as to why this just started happening, and more
> importatnly, how to fix it?
--
Kurt Wall
Informix on Linux FAQ - http://www.xmission.com/~kwall/iolfaq.html
Spanish Translation - http://www.xmission.com/~kwall/iolfaqsp.html
