|Jason DiCioccio||Jun 26, 2004 1:13 pm|
|Dave||Jun 26, 2004 8:06 pm|
|Neo-Vortex||Jun 27, 2004 1:20 am|
|Dave||Jun 28, 2004 2:20 pm|
|Neo-Vortex||Jun 28, 2004 5:16 pm|
|Dave||Jun 29, 2004 5:37 pm|
|Andrew Johns||Jun 29, 2004 5:57 pm|
|Dave||Jun 29, 2004 7:14 pm|
|gu...@device.dyndns.org||Jun 30, 2004 2:24 am|
|Andrew McNaughton||Jun 30, 2004 6:59 am|
|Gary Mulder||Jun 30, 2004 8:39 am|
|Subject:||ttyv for local only?|
|Date:||Jun 28, 2004 5:16:23 pm|
check /etc/ttys and see if ttyv2 has been mapped to anything else apart from the getty for that terminal, if it has, then thats why its appearing, if it hasnt, then either someone was at your box (wich we have established as impossible) or getty is backdoor'd... or of course something is sending phoney messages to syslogd...
On Mon, 28 Jun 2004, Dave wrote:
Hmm, I think I am in some kind of trouble. I have been getting login errors on ttyv that definitely couldn't be me. The only other person who lives with me is my wife, and it isn't her either.
qmail, popa3d, etc.. I am even getting them on my ftp too.
If someone had root access, they should be able to know what I am running on my system rather than trying these idiotic logins. In fact, they could telnet to my mail port and look for the Sendmail greeting to know that I don't run qmail, or portping 125 to see if I am running any kind of POP3 server. A piece of me feels it is just some internet sweeper that mindlessly tries logging in or ftping to certain things, and moves to the next IP address. I am also wondering if it is just a syslogd thing that the login failures were simply reported on ttyv2 rather than actually happening there, but then why not ttyv0, which is the 'main' thing it prints to?
I recently just backed up my system so I'm not feeling that bad but.... but... how? There is no sense in making the same mistake twice. I could run cvsup, compile a fresh binary of sockstat and ps to see if anything is running...
I'll consider turning snp off and recompiling my kernel. But that would just get rid of the messages, not help me get to the heart of it.
On Sun, 27 Jun 2004, Neo-Vortex wrote:
Hmmm, ttyv* is for local console's only (normally anyway) and ttyp* is for remote (ssh, screen, telnet, etc), are you sure some idiot didnt try to logon as qmaild in the third console when you wernt looking?
On Sat, 26 Jun 2004, Dave wrote:
I get this in my security postings.
Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild
As it turns out, I'm not running qmail :) And if I did, it would definitely have a nologin shell. But that's beside the point-
I have had a perception that ttyv was for local/console logins, and that just "tty" was for remote logins.
Is my understanding wrong here?
_______________________________________________ free...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "free...@freebsd.org"