| 1 |
On 28/07/2014 16:45, Andrew Lowe wrote: |
| 2 |
> Hi all, |
| 3 |
> I don't run telnet at all. I don't even have it installed on my machine |
| 4 |
> yet tonight I had a look in /var/lib to try and find a reason as to why |
| 5 |
> something else is failing and lo and behold there is a telnet dir. |
| 6 |
> Having a look inside shows: |
| 7 |
> |
| 8 |
> ****************** |
| 9 |
> |
| 10 |
> bluey telnet # pwd |
| 11 |
> /var/log/telnet |
| 12 |
> bluey telnet # ls -la |
| 13 |
> total 48 |
| 14 |
> drwx------ 2 root root 4096 Jul 2 14:58 . |
| 15 |
> drwxr-xr-x 15 root root 8192 Jul 28 22:03 .. |
| 16 |
> -rw-r--r-- 1 root root 145 Jul 2 14:58 current |
| 17 |
> -rw-r--r-- 1 root root 145 May 4 21:07 log-2014-05-12-11:22:05 |
| 18 |
> -rw-r--r-- 1 root root 372 May 12 19:22 log-2014-05-26-11:54:56 |
| 19 |
> -rw-r--r-- 1 root root 145 May 26 19:54 log-2014-06-13-04:25:41 |
| 20 |
> -rw-r--r-- 1 root root 145 Jun 13 12:25 log-2014-06-30-10:39:20 |
| 21 |
> -rw-r--r-- 1 root root 513 Jun 30 22:09 log-2014-07-02-06:58:34 |
| 22 |
> -rw-r--r-- 1 root root 11 Jul 2 14:58 .timestamp |
| 23 |
> bluey telnet # |
| 24 |
> bluey telnet # telnet |
| 25 |
> bash: telnet: command not found |
| 26 |
> |
| 27 |
> ****************** |
| 28 |
> |
| 29 |
> Looking inside one of these files reveals: |
| 30 |
> |
| 31 |
> ****************** |
| 32 |
> |
| 33 |
> bluey telnet # cat log-2014-05-26-11\:54\:56 |
| 34 |
> May 12 19:22:05 [login] pam_unix(login:auth): authentication failure; |
| 35 |
> logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root |
| 36 |
> May 12 19:22:07 [login] FAILED LOGIN (1) on '/dev/tty1' FOR 'root', |
| 37 |
> Authentication failure |
| 38 |
> May 12 19:22:15 [login] pam_unix(login:session): session opened for user |
| 39 |
> root by LOGIN(uid=0) |
| 40 |
> May 12 19:22:15 [login] ROOT LOGIN on '/dev/tty1' |
| 41 |
> |
| 42 |
> ****************** |
| 43 |
> |
| 44 |
> Sorry for the bad wrapping, each new line starts with "May 12..." |
| 45 |
> |
| 46 |
> Does anyone have any ideas as to why there is a telnet dir with |
| 47 |
> something in it on my machine???? Does anyone know of another app that |
| 48 |
> might for some bizarre reason, create a telnet dir????? |
| 49 |
> |
| 50 |
> Any thoughts, greatly appreciated, |
| 51 |
> |
| 52 |
> Andrew |
| 53 |
|
| 54 |
Files in /var/log are usually created by syslog, and those have the |
| 55 |
correct format for syslog entries and are using the tag "login". But |
| 56 |
they are not telnet logins, they are console logins on /dev/tty1. This |
| 57 |
all looks perfectly normal btw, the are just in a directory with an odd |
| 58 |
name. |
| 59 |
|
| 60 |
So, first thing is to check you syslogger's config and see if is |
| 61 |
configured to add logs with the message "login" to a file in a directory |
| 62 |
"telnet"[1]. Better, post your scrubbed config here |
| 63 |
|
| 64 |
If that looks legit, check your logrotate config. |
| 65 |
|
| 66 |
I wouldn't be assuming an intrusion here,it doesn't have the look or |
| 67 |
feel of one. I'd be assuming a stoopid config :-) |
| 68 |
|
| 69 |
|
| 70 |
|
| 71 |
-- |
| 72 |
Alan McKinnon |
| 73 |
alan.mckinnon@×××××.com |
Archives