1 |
On Mon, 2 Aug 2004, Bryan O'Shea wrote: |
2 |
|
3 |
> I have had these scans/logins attempted on one of my servers. |
4 |
> I see all the attempts for guest,admin,test in my logs. |
5 |
> They also show up when i run the command 'last' |
6 |
> to see what users obviously have last logged in and a user test |
7 |
> shows up. The log in time shows for 0 time logged in. I did not know that |
8 |
> incorrect login attempts would show in the output of the command 'last' or |
9 |
> even users that don't exist on the system. |
10 |
> Maybe someone can explain what this means? |
11 |
|
12 |
After further investigation I have gone through all my backup logs and |
13 |
noticed a user test was installed on the attempts in question. The user |
14 |
was later deleted by a bulk user cleanup script I run to delete old |
15 |
accounts. I further saw login attempts in my logs for the user test |
16 |
after the account was deleted and no entries showed up in my 'last' |
17 |
output on further login attempts. I had the shell set to /bin/false. |
18 |
|
19 |
So far this is the only explanation I have to account for the 'last' |
20 |
entries. Sorry if i alarmed anyone but wanted to be safe instead of |
21 |
sorry. |
22 |
|
23 |
Thanks for the input |
24 |
|
25 |
|
26 |
|
27 |
-- |
28 |
gentoo-security@g.o mailing list |