Re: who added the new user pcap?
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 06/14/04
- Next message: tux: "new board*nieuw forum"
- Previous message: robert seczkowski: "Re: loopback address"
- In reply to: Lu: "who added the new user pcap?"
- Next in thread: Tim Smith: "Re: who added the new user pcap?"
- Reply: Tim Smith: "Re: who added the new user pcap?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Jun 2004 15:23:32 +0000 (UTC)
lsun91125@yahoo.com (Lu) writes:
]Hi,
]I have a redhat 9 box. Logwatch reported the following:
] --------------------- Connections (secure-log) Begin
]------------------------
]New Users:
] pcap(77)
]**Unmatched Entries**
]groupadd[2380]: new group: name=pcap, gid=77
]usermod[2964]: change user `gdm' shell from `/sbin/nologin' to
]`/sbin/nologin'
] ---------------------- Connections (secure-log) End
]I don't know the exact time it happened. But prior to this, within 24
]hours, I also got something from my yum.cron:
]Stopping sshd:[ OK ]
]Starting sshd:[ OK ]
]warning: /etc/mail/sendmail.cf created as /etc/mail/sendmail.cf.rpmnew
]warning: /etc/mail/submit.cf created as /etc/mail/submit.cf.rpmnew
]I also noticed that the machine was rebooted before these two reports.
]Do these mean a security comprimise? What should I do to track it down
]and prevent it?
]Thanks a lot!
It looks like ssh, sendmail were updated with rpm. Were they? Did you do
it?
If you did not do it, find out what or who did.
- Next message: tux: "new board*nieuw forum"
- Previous message: robert seczkowski: "Re: loopback address"
- In reply to: Lu: "who added the new user pcap?"
- Next in thread: Tim Smith: "Re: who added the new user pcap?"
- Reply: Tim Smith: "Re: who added the new user pcap?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
