1 |
On 28/07/2014 16:45, Andrew Lowe wrote: |
2 |
> Hi all, |
3 |
> I don't run telnet at all. I don't even have it installed on my machine |
4 |
> yet tonight I had a look in /var/lib to try and find a reason as to why |
5 |
> something else is failing and lo and behold there is a telnet dir. |
6 |
> Having a look inside shows: |
7 |
> |
8 |
> ****************** |
9 |
> |
10 |
> bluey telnet # pwd |
11 |
> /var/log/telnet |
12 |
> bluey telnet # ls -la |
13 |
> total 48 |
14 |
> drwx------ 2 root root 4096 Jul 2 14:58 . |
15 |
> drwxr-xr-x 15 root root 8192 Jul 28 22:03 .. |
16 |
> -rw-r--r-- 1 root root 145 Jul 2 14:58 current |
17 |
> -rw-r--r-- 1 root root 145 May 4 21:07 log-2014-05-12-11:22:05 |
18 |
> -rw-r--r-- 1 root root 372 May 12 19:22 log-2014-05-26-11:54:56 |
19 |
> -rw-r--r-- 1 root root 145 May 26 19:54 log-2014-06-13-04:25:41 |
20 |
> -rw-r--r-- 1 root root 145 Jun 13 12:25 log-2014-06-30-10:39:20 |
21 |
> -rw-r--r-- 1 root root 513 Jun 30 22:09 log-2014-07-02-06:58:34 |
22 |
> -rw-r--r-- 1 root root 11 Jul 2 14:58 .timestamp |
23 |
> bluey telnet # |
24 |
> bluey telnet # telnet |
25 |
> bash: telnet: command not found |
26 |
> |
27 |
> ****************** |
28 |
> |
29 |
> Looking inside one of these files reveals: |
30 |
> |
31 |
> ****************** |
32 |
> |
33 |
> bluey telnet # cat log-2014-05-26-11\:54\:56 |
34 |
> May 12 19:22:05 [login] pam_unix(login:auth): authentication failure; |
35 |
> logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root |
36 |
> May 12 19:22:07 [login] FAILED LOGIN (1) on '/dev/tty1' FOR 'root', |
37 |
> Authentication failure |
38 |
> May 12 19:22:15 [login] pam_unix(login:session): session opened for user |
39 |
> root by LOGIN(uid=0) |
40 |
> May 12 19:22:15 [login] ROOT LOGIN on '/dev/tty1' |
41 |
> |
42 |
> ****************** |
43 |
> |
44 |
> Sorry for the bad wrapping, each new line starts with "May 12..." |
45 |
> |
46 |
> Does anyone have any ideas as to why there is a telnet dir with |
47 |
> something in it on my machine???? Does anyone know of another app that |
48 |
> might for some bizarre reason, create a telnet dir????? |
49 |
> |
50 |
> Any thoughts, greatly appreciated, |
51 |
> |
52 |
> Andrew |
53 |
|
54 |
Files in /var/log are usually created by syslog, and those have the |
55 |
correct format for syslog entries and are using the tag "login". But |
56 |
they are not telnet logins, they are console logins on /dev/tty1. This |
57 |
all looks perfectly normal btw, the are just in a directory with an odd |
58 |
name. |
59 |
|
60 |
So, first thing is to check you syslogger's config and see if is |
61 |
configured to add logs with the message "login" to a file in a directory |
62 |
"telnet"[1]. Better, post your scrubbed config here |
63 |
|
64 |
If that looks legit, check your logrotate config. |
65 |
|
66 |
I wouldn't be assuming an intrusion here,it doesn't have the look or |
67 |
feel of one. I'd be assuming a stoopid config :-) |
68 |
|
69 |
|
70 |
|
71 |
-- |
72 |
Alan McKinnon |
73 |
alan.mckinnon@×××××.com |