Question about entry in auth.log
Jeremy Chadwick
koitsu at FreeBSD.org
Sat Nov 15 00:17:26 PST 2008
On Fri, Nov 14, 2008 at 11:37:15PM -0800, Jeremy Chadwick wrote:
> On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
> > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever
> > been there. I got rid of the michael account (it wasn't used anyway), and
> > downloaded a new copy of chkrootkit, installed it and ran it along with
> > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless
> > enough prank? Anything else I ought to look at? Fortunately the michael
> > account did not have te ability to su to root.
>
> The individual in Romania *was not* able to log in as michael. The
Correction: the individual **WAS** able to log in as michael. I missed
the part of the message that said "Accepted" at the front. Sorry for
confusing you, I've had a very rough week and my brain is not
functioning.
What Wojciech said is correct -- change the password on the account.
Also keep in mind that the user may not have actually logged in and
gotten a shell; the message you see can also happen if the individual
simply scp'd something (e.g. no shell spawned).
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-questions
mailing list