Bug 644

Summary: Unauthorized login: cigna
Product: [Retired] Red Hat Linux Reporter: edge
Component: netkit-baseAssignee: David Lawrence <dkl>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 5.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1998-12-29 18:44:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description edge 1998-12-29 05:11:18 UTC 
The following was found in my /var/log/messages file.

[root@has-a RedHat]# grep cigna /var/log/messages
Dec 28 16:12:01 has-a PAM_pwdb[3860]: (login) session opened
for user cigna by (uid=0)
Dec 28 16:12:01 has-a login[3860]: LOGIN ON ttyp5 BY cigna
FROM webmaxx.colo.onramp.net

However, a grep of /etc/password provided no login
of that name.

I saw no reports of this, and could not search the mailing
list archives, however I did notice another user posted to
dejanews with the same problem.

I have had to disable telnetd, as my entire system was
compromised from this.
Comment 1 David Lawrence 1998-12-29 18:44:59 UTC 
I would suggest contacting the sysadmin from the site mentioned in the
/var/log/messages to see if they have a record of a user by that name.
Let them know of the wrongdoing and they should take action.
I would recommend restoring from a previous backup or reinstalling
from scratch and then apply all security updates. I have not been able
to replicate the login in our test lab. Certain important system files
must have been replaced by the intruder to allow logging in by that
name.