On Tue, 4 Jan 2005, Bill Moran wrote:
Perhaps you just mixed up some (pseudo-)user's entry for /etc/master.passwd ?
Over the holiday I replaced a server that appeared to have been cracked. Basically built a replacement with the same services in a sandbox, then swapped it with the old one.
The new server seems to be secure, as we're not seeing the spam coming off it that the old one was generating, however, I'm seeing a lot of messages in the log files. For example:
Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory Jan 4 07:15:13 mail su: _secure_path: cannot stat /usr/sbin/nologin/.login_conf: Not a directory
Instead of
...:/nonexistent:/sbin/nologin
you set
...:/sbin/nologin:/nonexistent ???
Just a guess,
Uli.
On the one hand, I'm taking this to mean that whatever technique was previously being used to control the box is no longer working, but I'm wondering if anyone has an idea as to what the technique actually was? I want to see if I can lock it down even further, based on the specific exploit that is being attempted here.
Anyone seen these errors before, and have any clue as to what exploit is going on? The previous machine was very outdated, so I'm assuming it was a known exploit in the mail system (postfix) or Neomail or something else. The new machine has all the latest stable versions of all software, so I'm hoping that it's no longer vulnerable, but I can't seem to determine what kind of attack was being used.
Thoughts?
-- Bill Moran Potential Technologies http://www.potentialtech.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
+---------------------------+ | Peter Ulrich Kruppa | | Wuppertal | | Germany | +---------------------------+ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
