Re: weird login attempt

From: tjk@tksoft.com
Date: 02/23/01 

From: "tjk@tksoft.com" <tjk@tksoft.com>
To: slamdunk@neophile.net (slamdunk)
Date: Fri, 23 Feb 2001 10:33:04 -0800 (PST)

Jerry,

Since the user is www, is it possible that the login
was attempted through the web server? I.e. do you have
your web server running under the username www?

One theoretical possibility would be that someone
was able to execute a cgi which tried to login
to the system.

The ttyv0 indicates a local login, not a networked
(pseudo tty) login. If the cgi exec'ed code which
attached to ttyv0, then this would seem consistent.

Might be a good idea to see your web access logs for
that particular moment in time and see if some cgi
was called just then.

Troy

>
> Nope it wont be either of these - The box is in a locked cabinet in our
> datacenter.
>
> Ah well, seems this will remain a mystery
>
> Jerry
>
> At 13:48 23/02/2001 +0200, you wrote:
> >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote:
> > > En un mensaje anterior, slamdunk escribio:
> > > > Can anyone identify what this might be?
> > >
> > > Somebody laying its hand over the keyboard :)
> > >
> > > >
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0,
> > ^[[S^[[J^[[J^[[J^[[~^[
> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0,
> > ^[[S^[[J^[[J^[[J^[[~^[
> >
> >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something
> >around the numeric keypad.
> >
> >G'luck,
> >Peter
> >
> >--
> >If you think this sentence is confusing, then change one pig.
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: WebBrowser
    ... With this type of security you may be able to access the ... > If the login page is a Username / Password textbox with a Submit or Login ... > send requests to a web server and get some type of response / data back. ... Sign the petition to Microsoft. ...
    (microsoft.public.vb.controls)
  • Re: edit and/or copy/paste access with prudent security also
    ... If you login as the web server - local administrator, ... check NTFS permission again. ... >> Basically you need to use an account from the web server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Bank Of America - sign on process - how is this secure?
    ... >> that the login is sent via https, ... >> page requesting your login is sent to you unencrypted, ... The point here is that you *don't* have to "assume that the web server ... DNS entries could be faked to point the web site name to an entirely ...
    (comp.security.misc)
  • Re: NT AUTORITY/ANONIMOYS LOGIN events in Event Viewer
    ... If you see an error message that indicates that the login has failed for NT ... suitably configured accounts) or Basic authentication at the Web server. ...
    (microsoft.public.platformsdk.security)
  • Re: Login Loop
    ... The security settings are Integrated Windows Authentication & Basic ... Re-appearing login prompts are never issues with the web server ... and I do not recommend wasting time with indirect methods. ...
    (microsoft.public.inetserver.iis.security)