Re: weird login attempt

From: James (daemus@oregonfast.net)
Date: 02/23/01 

From: "James" <daemus@oregonfast.net>
To: freebsd-security@FreeBSD.ORG
Date: Fri, 23 Feb 2001 20:36:33 GMT

www is the short hostname of the box that the logs came from.

tjk@tksoft.com writes:

> Jerry,
>
> Since the user is www, is it possible that the login
> was attempted through the web server? I.e. do you have
> your web server running under the username www?
>
> One theoretical possibility would be that someone
> was able to execute a cgi which tried to login
> to the system.
>
> The ttyv0 indicates a local login, not a networked
> (pseudo tty) login. If the cgi exec'ed code which
> attached to ttyv0, then this would seem consistent.
>
> Might be a good idea to see your web access logs for
> that particular moment in time and see if some cgi
> was called just then.
>
>
> Troy
>
>>
>> Nope it wont be either of these - The box is in a locked cabinet in our
>> datacenter.
>>
>> Ah well, seems this will remain a mystery
>>
>> Jerry
>>
>> At 13:48 23/02/2001 +0200, you wrote:
>> >On Fri, Feb 23, 2001 at 08:46:59AM -0300, Fernando Schapachnik wrote:
>> > > En un mensaje anterior, slamdunk escribio:
>> > > > Can anyone identify what this might be?
>> > >
>> > > Somebody laying its hand over the keyboard :)
>> > >
>> > > >
>> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
>> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0
>> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0,
>> > ^[[S^[[J^[[J^[[J^[[~^[
>> > > > Feb 23 10:41:33 www login: 1 LOGIN FAILURE ON ttyv0,
>> > ^[[S^[[J^[[J^[[J^[[~^[
>> >
>> >Those are probably F-keys or similar.. ^[[S is F7, ^[[J is probably something
>> >around the numeric keypad.
>> >
>> >G'luck,
>> >Peter
>> >
>> >--
>> >If you think this sentence is confusing, then change one pig.
>> >
>> >To Unsubscribe: send mail to majordomo@FreeBSD.org
>> >with "unsubscribe freebsd-security" in the body of the message
>>
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-security" in the body of the message
>>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: weird login attempt
    ... Look at the logs. ... > Since the user is www, is it possible that the login ... > was able to execute a cgi which tried to login ...
    (FreeBSD-Security)
  • Re: Auto Populating Blocked IPs List
    ... I just checked my security logs - which I save - and I see ... The earlies attacks were trying to almost invariably login as ... >IP blocks their ISP is handing out and allow only those. ... Bill Vermillion - bv @ wjv. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Last Login
    ... The table "tblLastLogin" gets updated when ... intCount gets successfully populated with the number of stories since last ... login but intLastLogin does not get updated, ... If it gets updated as soon as the publisher logs in, ...
    (microsoft.public.access.queries)
  • RE: Failed admin logins
    ... Understanding that my suggestion may not always be possible - pull the plug and ... communicating with that box with the logs of when the login occurs. ... > I have a machine that is trying to log in as the domain administrator ...
    (Security-Basics)
  • Re: sshd authentication failure message
    ... >> happen with every login, at least remote, although the user logs in ... > the rpm. ... > I think it is a function of how many people actually look at the logs ... > If there is a fix as well as stopping the login delay on a successful ...
    (RedHat)