[SLL] bad login attempts
Paul A. Franz, P.E.
paul at eucleides.com
Sun Aug 24 21:40:13 PDT 2008
Bad login attempts are not being logged on a FC 1 server for me. At one time they
were. The file /var/log/btmp is 0 length. I have purposely done bad logins by both bad
username and bad password and nothing is entered.
Another observation which might be a clue is when running finger on a user that has
logged in many times the result is (sometimes) Last login:user has never logged in.
Running finger on a user (finger user) as user root shows the contents of roots .plan
file and when running finger on that user as that user it says: no plan. When in fact
there is a .plan file with verified contents and is owned by the user with world read
rights.
Another bad thing that is evident is a successful login entry for zero connect time on
a user whose shell is /bin/false. That login came from a foreign IP with no reverse
lookup but is an APNIC IP so I know it wasn't the e-mail only user that attempted the
login.
# last -a | grep karen
karen pts/1 Thu Aug 14 22:22 - 22:22 (00:00) 121.14.136.123
# grep karen /etc/passwd
karen:x:509:509::/home/karen:/bin/false
I might have been hacked. Any suggestions?
--
Paul A. Franz, P.E.
PAF Consulting Engineers
Office 425.641.8202
FAX 425.641.1773
Cell 425.241.1618
More information about the linux-list
mailing list