| 1 |
On Mon, 2 Aug 2004, Bryan O'Shea wrote: |
| 2 |
|
| 3 |
> I have had these scans/logins attempted on one of my servers. |
| 4 |
> I see all the attempts for guest,admin,test in my logs. |
| 5 |
> They also show up when i run the command 'last' |
| 6 |
> to see what users obviously have last logged in and a user test |
| 7 |
> shows up. The log in time shows for 0 time logged in. I did not know that |
| 8 |
> incorrect login attempts would show in the output of the command 'last' or |
| 9 |
> even users that don't exist on the system. |
| 10 |
> Maybe someone can explain what this means? |
| 11 |
|
| 12 |
After further investigation I have gone through all my backup logs and |
| 13 |
noticed a user test was installed on the attempts in question. The user |
| 14 |
was later deleted by a bulk user cleanup script I run to delete old |
| 15 |
accounts. I further saw login attempts in my logs for the user test |
| 16 |
after the account was deleted and no entries showed up in my 'last' |
| 17 |
output on further login attempts. I had the shell set to /bin/false. |
| 18 |
|
| 19 |
So far this is the only explanation I have to account for the 'last' |
| 20 |
entries. Sorry if i alarmed anyone but wanted to be safe instead of |
| 21 |
sorry. |
| 22 |
|
| 23 |
Thanks for the input |
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
-- |
| 28 |
gentoo-security@g.o mailing list |
Archives