1 |
On Mon, 2 Aug 2004, Dan Margolis wrote: |
2 |
|
3 |
> Incorrect login attempts should NOT show up (or at least they don't for |
4 |
> me). This would imply that the user did log in successfully. Do you have |
5 |
> a user by the name of ``test''? Perhaps with it's shell set to |
6 |
> /bin/false so that it cannot log in to a working shell? |
7 |
|
8 |
I have no user test in /etc/passwd or /etc/shadow: |
9 |
|
10 |
This is a 2004.1 recently installed system |
11 |
w/ latest sync and world updates |
12 |
vanilla 2.4.26 kernel |
13 |
|
14 |
last -a | grep test |
15 |
test pts/0 Tue Jul 27 00:45 - 00:45 (00:00) 80.28.219.40 |
16 |
test pts/0 Sat Jul 24 17:29 - 17:29 (00:00) 210.143.106.131 |
17 |
test pts/0 Sat Jul 24 11:10 - 11:10 (00:00) 61.109.156.5 |
18 |
test pts/0 Sun Jul 18 22:08 - 22:08 (00:00) 66.165.234.7 |
19 |
test pts/1 Thu Jul 15 09:03 - 09:03 (00:00) mail.schedl-automotive.de |
20 |
test pts/0 Thu Jul 15 08:59 - 08:59 (00:00) mail.schedl-automotive.de |
21 |
test pts/0 Thu Jul 15 08:57 - 08:57 (00:00) mail.schedl-automotive.de |
22 |
test pts/0 Thu Jul 15 08:53 - 08:53 (00:00) mail.schedl-automotive.de |
23 |
test pts/1 Wed Jul 14 12:37 - 12:37 (00:00) host2-140.pool21758.interbusiness.it |
24 |
test pts/0 Tue Jul 13 01:23 - 01:23 (00:00) 216-55-164-10.dedicated.abac.net |
25 |
|
26 |
> |
27 |
> Or are you perhaps running an out of date version of OpenSSH (like, a |
28 |
> year out of date)? |
29 |
|
30 |
ssh -v |
31 |
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 |
32 |
|
33 |
> |
34 |
> Seeing as I've yet to hear of an exploit on a patched system with no |
35 |
> vulnerable users/passwords, I had been assuming there is no 0day exploit |
36 |
> out there to be concerned about. But perhaps you can confirm differently |
37 |
> for us. |
38 |
|
39 |
Since these login attempts have appeared I have been monitoring closely |
40 |
and have not experienced anymore attempts. |
41 |
|
42 |
|
43 |
|
44 |
-- |
45 |
gentoo-security@g.o mailing list |