Re: Someone trying to break in.
Sergey Zaharchenko [EMAIL PROTECTED] wrote: On Tue, Jan 04, 2005 at 10:06:39AM -0500, Bill Moran probably wrote: Over the holiday I replaced a server that appeared to have been cracked. Basically built a replacement with the same services in a sandbox, then swapped it with the old one. The new server seems to be secure, as we're not seeing the spam coming off it that the old one was generating, however, I'm seeing a lot of messages in the log files. For example: Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and that someone is trying to su. /usr/sbin/nologin can't be a home directory, it must be the shell for some user who isn't supposed to log in. /nonexistent should be the home directory. It looks possible that your password file specifies /usr/sbin/nologin as a home directory and a valid shell for some system user. Maybe you omitted or added an extra `:'? Just a guess, Thanks for the input, Sergey. That's certainly what's happening. For some reason, certain user records are awry. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Someone trying to break in.
On Tue, 4 Jan 2005, Bill Moran wrote: Over the holiday I replaced a server that appeared to have been cracked. Basically built a replacement with the same services in a sandbox, then swapped it with the old one. The new server seems to be secure, as we're not seeing the spam coming off it that the old one was generating, however, I'm seeing a lot of messages in the log files. For example: Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory Perhaps you just mixed up some (pseudo-)user's entry for /etc/master.passwd ? Instead of ...:/nonexistent:/sbin/nologin you set ...:/sbin/nologin:/nonexistent ??? Just a guess, Uli. On the one hand, I'm taking this to mean that whatever technique was previously being used to control the box is no longer working, but I'm wondering if anyone has an idea as to what the technique actually was? I want to see if I can lock it down even further, based on the specific exploit that is being attempted here. Anyone seen these errors before, and have any clue as to what exploit is going on? The previous machine was very outdated, so I'm assuming it was a known exploit in the mail system (postfix) or Neomail or something else. The new machine has all the latest stable versions of all software, so I'm hoping that it's no longer vulnerable, but I can't seem to determine what kind of attack was being used. Thoughts? -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] +---+ |Peter Ulrich Kruppa| | Wuppertal | | Germany | +---+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Someone trying to break in.
Over the holiday I replaced a server that appeared to have been cracked. Basically built a replacement with the same services in a sandbox, then swapped it with the old one. The new server seems to be secure, as we're not seeing the spam coming off it that the old one was generating, however, I'm seeing a lot of messages in the log files. For example: Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory On the one hand, I'm taking this to mean that whatever technique was previously being used to control the box is no longer working, but I'm wondering if anyone has an idea as to what the technique actually was? I want to see if I can lock it down even further, based on the specific exploit that is being attempted here. Anyone seen these errors before, and have any clue as to what exploit is going on? The previous machine was very outdated, so I'm assuming it was a known exploit in the mail system (postfix) or Neomail or something else. The new machine has all the latest stable versions of all software, so I'm hoping that it's no longer vulnerable, but I can't seem to determine what kind of attack was being used. Thoughts? -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Someone trying to break in.
On Tue, Jan 04, 2005 at 10:06:39AM -0500, Bill Moran probably wrote: Over the holiday I replaced a server that appeared to have been cracked. Basically built a replacement with the same services in a sandbox, then swapped it with the old one. The new server seems to be secure, as we're not seeing the spam coming off it that the old one was generating, however, I'm seeing a lot of messages in the log files. For example: Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and that someone is trying to su. /usr/sbin/nologin can't be a home directory, it must be the shell for some user who isn't supposed to log in. /nonexistent should be the home directory. It looks possible that your password file specifies /usr/sbin/nologin as a home directory and a valid shell for some system user. Maybe you omitted or added an extra `:'? Just a guess, -- DoubleF Dealing with failure is easy: work hard to improve. Success is also easy to handle: you've solved the wrong problem. Work hard to improve. pgpl3NNJnkPkX.pgp Description: PGP signature
