176 – Break in via NFS

Bug 176 - Break in via NFS

Summary: Break in via NFS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	distribution
Sub Component:
Version:	5.1
Hardware:	i386
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Preston Brown
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	1998-11-23 18:38 UTC by eric-dean
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	1998-11-24 16:48:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description eric-dean 1998-11-23 18:38:18 UTC

Hello,

I am using Red Hat linux on an intel machine
ovm2.art.uiowa.edu and I think I've had someone try to/or
suceeded in breaking to the machine. This machine is a
testbed I am using for mysql database software in the School
of Art and Art History. Following are selections from log
files.  I can't tell if the person actually got in or not.
Please let me know.

Thank you,

Eric Dean
Chief Curator
Office of Visual Materials
School of Art and Art History
335-3131

Here is a selection from the /var/log/secure.1

Nov 16 13:56:04 ovm2 in.telnetd[545]: connect from
arthur.avalon.net
Nov 16 21:16:53 ovm2 in.telnetd[851]: connect from
dial22.icwest.avalon.net
Nov 16 22:55:52 ovm2 in.telnetd[909]: connect from
192.48.32.179
Nov 18 14:29:39 ovm2 imapd[2741]: connect from djk.umt.se
Nov 18 14:29:39 ovm2 imapd[2741]: error: cannot execute /usr/
sbin/imapd: No such file or directory
Nov 19 14:20:25 ovm2 in.telnetd[3794]: connect from
dial7.icwest.avalon.net
Nov 20 10:15:08 ovm2 in.telnetd[4738]: connect from
dial6.icwest.avalon.net
Nov 20 11:01:54 ovm2 login: FAILED LOGIN 1 FROM (null) FOR
ericdean, Authentication failure
Nov 21 16:35:32 ovm2 in.telnetd[6077]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:35:33 ovm2 imapd[6078]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:35:33 ovm2 imapd[6078]: error: cannot execute /usr/
sbin/imapd: No such file or directory
Nov 21 16:35:33 ovm2 imapd[6079]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:35:33 ovm2 imapd[6079]: error: cannot execute /usr/
sbin/imapd: No such file or directory
Nov 21 16:35:33 ovm2 in.telnetd[6080]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:49:08 ovm2 imapd[6082]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:49:08 ovm2 imapd[6082]: error: cannot execute /usr/
sbin/imapd: No such file or directory
Nov 21 16:49:18 ovm2 ipop3d[6083]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:49:18 ovm2 ipop3d[6083]: error: cannot execute /
usr/sbin/ipop3d: No such file or directory
Nov 21 16:51:30 ovm2 in.telnetd[6091]: connect from pool041-
max1.ds8-ca-us.dialup.earthlink.net

I am the avalon.net connections.  All other connections are
unauthorized.





Here is a selection from /var/log/messages.1

Nov 15 04:02:32 ovm2 syslogd 1.3-3: restart.
Nov 15 04:02:32 ovm2 syslogd 1.3-3: restart.
Nov 15 04:02:32 ovm2 syslogd 1.3-3: restart.
Nov 15 04:02:32 ovm2 PAM_pwdb[1926]: (su) session opened for
user nobody by (uid=99)
Nov 15 04:03:45 ovm2 PAM_pwdb[1926]: (su) session closed for
user nobody
Nov 15 05:01:00 ovm2 PAM_pwdb[2084]: (su) session opened for
user news by (uid=9)
Nov 15 05:01:01 ovm2 PAM_pwdb[2084]: (su) session closed for
user news
Nov 15 06:01:00 ovm2 PAM_pwdb[2119]: (su) session opened for
user news by (uid=9)
Nov 15 06:01:00 ovm2 PAM_pwdb[2119]: (su) session closed for
user news
Nov 15 07:01:00 ovm2 PAM_pwdb[2154]: (su) session opened for
user news by (uid=9)
Nov 15 07:01:00 ovm2 PAM_pwdb[2154]: (su) session closed for
user news
Nov 15 08:01:00 ovm2 PAM_pwdb[2189]: (su) session opened for
user news by (uid=9)
Nov 15 08:01:01 ovm2 PAM_pwdb[2189]: (su) session closed for
user news
Nov 15 09:01:00 ovm2 PAM_pwdb[2224]: (su) session opened for
user news by (uid=9)
Nov 15 09:01:00 ovm2 PAM_pwdb[2224]: (su) session closed for
user news
Nov 15 10:01:00 ovm2 PAM_pwdb[2259]: (su) session opened for
user news by (uid=9)
Nov 15 10:01:00 ovm2 PAM_pwdb[2259]: (su) session closed for
user news
Nov 15 11:01:00 ovm2 PAM_pwdb[2294]: (su) session opened for
user news by (uid=9)
Nov 15 11:01:00 ovm2 PAM_pwdb[2294]: (su) session closed for
user news
Nov 15 12:01:00 ovm2 PAM_pwdb[2329]: (su) session opened for
user news by (uid=9)
Nov 15 12:01:00 ovm2 PAM_pwdb[2329]: (su) session closed for
user news
Nov 15 13:01:00 ovm2 PAM_pwdb[2364]: (su) session opened for
user news by (uid=9)
Nov 15 13:01:00 ovm2 PAM_pwdb[2364]: (su) session closed for
user news
Nov 15 14:01:00 ovm2 PAM_pwdb[2399]: (su) session opened for
user news by (uid=9)
Nov 15 14:01:01 ovm2 PAM_pwdb[2399]: (su) session closed for
user news
Nov 15 15:01:00 ovm2 PAM_pwdb[2434]: (su) session opened for
user news by (uid=9)
Nov 15 15:01:00 ovm2 PAM_pwdb[2434]: (su) session closed for
user news
Nov 15 16:01:00 ovm2 PAM_pwdb[2469]: (su) session opened for
user news by (uid=9)
Nov 15 16:01:00 ovm2 PAM_pwdb[2469]: (su) session closed for
user news
Nov 15 17:01:00 ovm2 PAM_pwdb[2504]: (su) session opened for
user news by (uid=9)
Nov 15 17:01:00 ovm2 PAM_pwdb[2504]: (su) session closed for
user news
Nov 15 18:01:00 ovm2 PAM_pwdb[2539]: (su) session opened for
user news by (uid=9)
Nov 15 18:01:00 ovm2 PAM_pwdb[2539]: (su) session closed for
user news
Nov 15 19:01:00 ovm2 PAM_pwdb[2574]: (su) session opened for
user news by (uid=9)
Nov 15 19:01:01 ovm2 PAM_pwdb[2574]: (su) session closed for
user news
Nov 15 20:01:00 ovm2 PAM_pwdb[2609]: (su) session opened for
user news by (uid=9)
Nov 15 20:01:00 ovm2 PAM_pwdb[2609]: (su) session closed for
user news
Nov 15 21:01:00 ovm2 PAM_pwdb[2644]: (su) session opened for
user news by (uid=9)
Nov 15 21:01:00 ovm2 PAM_pwdb[2644]: (su) session closed for
user news
Nov 15 22:01:00 ovm2 PAM_pwdb[2679]: (su) session opened for
user news by (uid=9)
Nov 15 22:01:00 ovm2 PAM_pwdb[2679]: (su) session closed for
user news
Nov 15 23:01:00 ovm2 PAM_pwdb[2714]: (su) session opened for
user news by (uid=9)
Nov 15 23:01:00 ovm2 PAM_pwdb[2714]: (su) session closed for
user news
Nov 16 00:01:00 ovm2 PAM_pwdb[2749]: (su) session opened for
user news by (uid=9)
Nov 16 00:01:00 ovm2 PAM_pwdb[2749]: (su) session closed for
user news
Nov 16 01:01:00 ovm2 PAM_pwdb[2784]: (su) session opened for
user news by (uid=9)
Nov 16 01:01:01 ovm2 PAM_pwdb[2784]: (su) session closed for
user news
Nov 16 02:01:00 ovm2 PAM_pwdb[2819]: (su) session opened for
user news by (uid=9)
Nov 16 02:01:00 ovm2 PAM_pwdb[2819]: (su) session closed for
user news
Nov 16 03:01:00 ovm2 PAM_pwdb[2854]: (su) session opened for
user news by (uid=9)
Nov 16 03:01:00 ovm2 PAM_pwdb[2854]: (su) session closed for
user news
Nov 16 04:01:00 ovm2 PAM_pwdb[2889]: (su) session opened for
user news by (uid=9)
Nov 16 04:01:00 ovm2 PAM_pwdb[2889]: (su) session closed for
user news
Nov 16 04:02:00 ovm2 PAM_pwdb[2923]: (su) session opened for
user news by (uid=9)
Nov 16 04:02:32 ovm2 rnews[3069]: rejected connection What
server?
Nov 16 04:02:32 ovm2 PAM_pwdb[2923]: (su) session closed for
user news
Nov 16 04:02:32 ovm2 rnews[3074]: rejected connection What
server?
Nov 16 04:02:33 ovm2 PAM_pwdb[3085]: (su) session opened for
user nobody by (uid=99)
Nov 16 04:04:04 ovm2 PAM_pwdb[3085]: (su) session closed for
user nobody
Nov 16 05:01:00 ovm2 PAM_pwdb[3130]: (su) session opened for
user news by (uid=9)
Nov 16 05:01:00 ovm2 PAM_pwdb[3130]: (su) session closed for
user news
Nov 16 06:01:00 ovm2 PAM_pwdb[3165]: (su) session opened for
user news by (uid=9)
Nov 16 06:01:00 ovm2 PAM_pwdb[3165]: (su) session closed for
user news
Nov 16 07:01:00 ovm2 PAM_pwdb[3200]: (su) session opened for
user news by (uid=9)
Nov 16 07:01:00 ovm2 PAM_pwdb[3200]: (su) session closed for
user news
Nov 16 08:01:00 ovm2 PAM_pwdb[3235]: (su) session opened for
user news by (uid=9)
Nov 16 08:01:01 ovm2 PAM_pwdb[3235]: (su) session closed for
user news
Nov 16 09:01:00 ovm2 PAM_pwdb[3270]: (su) session opened for
user news by (uid=9)
Nov 16 09:01:00 ovm2 PAM_pwdb[3270]: (su) session closed for
user news
Nov 16 10:01:00 ovm2 PAM_pwdb[3305]: (su) session opened for
user news by (uid=9)
Nov 16 10:01:00 ovm2 PAM_pwdb[3305]: (su) session closed for
user news
Nov 16 10:44:13 ovm2 PAM_pwdb[401]: (login) session opened
for user ericdean by (uid=0)
Nov 16 10:44:14 ovm2 login[401]: LOGIN ON tty1 BY ericdean
Nov 16 10:51:19 ovm2 PAM_pwdb[3381]: (su) session opened for
user root by ericdean(uid=0)
Nov 16 11:01:00 ovm2 PAM_pwdb[3395]: (su) session opened for
user news by (uid=9)
Nov 16 11:01:00 ovm2 PAM_pwdb[3395]: (su) session closed for
user news
Nov 16 11:51:09 ovm2 init: Switching to runlevel: 6
Nov 16 11:51:09 ovm2 PAM_pwdb[3381]: (su) session closed for
user root
Nov 16 11:51:13 ovm2 syslogd: exiting on signal 15
Nov 16 11:52:25 ovm2 syslogd 1.3-3: restart.
Nov 16 11:52:25 ovm2 kernel: klogd 1.3-3, log source = /proc/
kmsg started.
Nov 16 11:52:25 ovm2 kernel: Loaded 4215 symbols from /boot/
System.map.
Nov 16 11:52:25 ovm2 kernel: Symbols match kernel version
2.0.35.
Nov 16 11:52:25 ovm2 kernel: No module symbols loaded.
Nov 16 11:52:25 ovm2 kernel: Console: 16 point font, 400
scans
Nov 16 11:52:25 ovm2 kernel: Console: colour VGA+ 80x25, 1
virtual console (max 63)
Nov 16 11:52:25 ovm2 kernel: pcibios_init : BIOS32 Service
Directory structure at 0x000f6fb0
Nov 16 11:52:25 ovm2 kernel: pcibios_init : BIOS32 Service
Directory entry at 0xfd7b0
Nov 16 11:52:25 ovm2 kernel: pcibios_init : PCI BIOS revision
2.10 entry at 0xfd9b3
Nov 16 11:52:25 ovm2 kernel: Probing PCI hardware.
Nov 16 11:52:25 ovm2 kernel: Calibrating delay loop.. ok -
332.60 BogoMIPS
Nov 16 11:52:25 ovm2 kernel: Memory: 30836k/32768k available
(740k kernel code, 384k reserved, 808k data)
Nov 16 11:52:25 ovm2 kernel: Swansea University Computer
Society NET3.035 for Linux 2.0
Nov 16 11:52:25 ovm2 kernel: NET3: Unix domain sockets 0.13
for Linux NET3.035.
Nov 16 11:52:25 ovm2 kernel: Swansea University Computer
Society TCP/IP for NET3.034
Nov 16 11:52:25 ovm2 kernel: IP Protocols: IGMP, ICMP, UDP,
TCP
Nov 16 11:52:25 ovm2 kernel: VFS: Diskquotas version
dquot_5.6.0 initialized
Nov 16 11:52:25 ovm2 kernel:
Nov 16 11:52:25 ovm2 kernel: Checking 386/387 coupling... Ok,
fpu using exception 16 error reporting.
Nov 16 11:52:25 ovm2 kernel: Checking 'hlt' instruction...
Ok.
Nov 16 11:52:25 ovm2 kernel: Linux version 2.0.35
(root.com) (gcc version 2.7.2.3) #1 Thu Jul 23
14:01:04 EDT 1998
Nov 16 11:52:25 ovm2 kernel: Starting kswapd v 1.4.2.2
Nov 16 11:52:25 ovm2 kernel: Serial driver version 4.13 with
no serial options enabled
Nov 16 11:52:25 ovm2 kernel: tty00 at 0x03f8 (irq = 4) is a
16550A
Nov 16 11:52:25 ovm2 kernel: tty01 at 0x02f8 (irq = 3) is a
16550A
Nov 16 11:52:25 ovm2 kernel: PS/2 auxiliary pointing device
detected -- driver installed.
Nov 16 11:52:25 ovm2 kernel: Real Time Clock Driver v1.09
Nov 16 11:52:25 ovm2 kernel: Ramdisk driver initialized : 16
ramdisks of 4096K size
Nov 16 11:52:25 ovm2 kernel: ide: i82371 PIIX (Triton) on PCI
bus 0 function 57
Nov 16 11:52:25 ovm2 kernel:     ide0: BM-DMA at 0x10a0-
0x10a7
Nov 16 11:52:25 ovm2 kernel:     ide1: BM-DMA at 0x10a8-
0x10af
Nov 16 11:52:25 ovm2 kernel: hda: QUANTUM FIREBALL EL2.5A,
2445MB w/418kB Cache, CHS=621/128/63, UDMA
Nov 16 11:52:25 ovm2 kernel: hdc: FX322M, ATAPI CDROM drive
Nov 16 11:52:25 ovm2 kernel: ide0 at 0x1f0-0x1f7,0x3f6 on irq
14
Nov 16 11:52:25 ovm2 kernel: ide1 at 0x170-0x177,0x376 on irq
15
Nov 16 11:52:25 ovm2 kernel: Floppy drive(s): fd0 is 1.44M
Nov 16 11:52:25 ovm2 kernel: FDC 0 is a National
Semiconductor PC87306
Nov 16 11:52:25 ovm2 kernel: md driver 0.36.3 MAX_MD_DEV=4,
MAX_REAL=8
Nov 16 11:52:25 ovm2 kernel: scsi : 0 hosts.
Nov 16 11:52:25 ovm2 kernel: scsi : detected total.
Nov 16 11:52:25 ovm2 kernel: Partition check:
Nov 16 11:52:25 ovm2 kernel:  hda: hda1 hda2 < hda5 hda6 hda7
hda8 hda9 hda10 >
Nov 16 11:52:25 ovm2 kernel: VFS: Mounted root (ext2
filesystem) readonly.
Nov 16 11:52:25 ovm2 kernel: Adding Swap: 128988k swap-space
(priority -1)
Nov 16 11:52:25 ovm2 kernel: sysctl: ip forwarding off
Nov 16 11:52:25 ovm2 kernel: Swansea University Computer
Society IPX 0.34 for NET3.035
Nov 16 11:52:25 ovm2 kernel: IPX Portions Copyright (c) 1995
Caldera, Inc.
Nov 16 11:52:25 ovm2 kernel: Appletalk 0.17 for Linux
NET3.035
Nov 16 11:52:25 ovm2 kernel: 3c59x.c:v0.99E 5/12/98 Donald
Becker http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html
Nov 16 11:52:25 ovm2 kernel: eth0: 3Com 3c905B Cyclone
100baseTx at 0x1000, 00:10:5a:26:5c:25, IRQ 11
Nov 16 11:52:25 ovm2 kernel:   8K byte-wide RAM 5:3 Rx:Tx
split, autoselect/NWay Autonegotiation interface.
Nov 16 11:52:25 ovm2 kernel:   Enabling bus-master transmits
and whole-frame receives.
Nov 16 11:52:27 ovm2 named[287]: starting.  named 4.9.6-REL
Tue May  5 19:03:42 EDT 1998 ^Iroot.com:/usr/
src/bs/BUILD/bind-4.9.6/named
Nov 16 11:52:28 ovm2 named[287]: cache zone "" loaded (serial
0)
Nov 16 11:52:28 ovm2 named[287]: primary zone "0.0.127.in-
addr.arpa" loaded (serial 1997022700)
Nov 16 11:52:28 ovm2 named[288]: Ready to answer queries.
Nov 16 11:52:28 ovm2 dhcpd: Internet Software Consortium
DHCPD $Name: V2-BETA-1 $
Nov 16 11:52:28 ovm2 dhcpd: Copyright 1995, 1996 The Internet
Software Consortium.
Nov 16 11:52:28 ovm2 dhcpd: All rights reserved.
Nov 16 11:52:28 ovm2 dhcpd: Can't open /etc/dhcpd.conf: No
such file or directory
Nov 16 11:52:28 ovm2 dhcpd: exiting.
Nov 16 11:52:39 ovm2 PAM_pwdb[401]: (login) session opened
for user ericdean by (uid=0)
Nov 16 11:52:39 ovm2 login[401]: LOGIN ON tty1 BY ericdean
Nov 16 11:52:43 ovm2 PAM_pwdb[422]: auth could not identify
password for [root]
Nov 16 11:53:35 ovm2 PAM_pwdb[453]: (su) session opened for
user root by ericdean(uid=0)
Nov 16 12:01:00 ovm2 PAM_pwdb[470]: (su) session opened for
user news by (uid=9)
Nov 16 12:01:01 ovm2 PAM_pwdb[470]: (su) session closed for
user news
Nov 16 13:01:01 ovm2 PAM_pwdb[505]: (su) session opened for
user news by (uid=9)
Nov 16 13:01:01 ovm2 PAM_pwdb[505]: (su) session closed for
user news
Nov 16 14:01:00 ovm2 PAM_pwdb[550]: (su) session opened for
user news by (uid=9)
Nov 16 14:01:01 ovm2 PAM_pwdb[550]: (su) session closed for
user news
Nov 16 15:01:00 ovm2 PAM_pwdb[607]: (su) session opened for
user news by (uid=9)
Nov 16 15:01:01 ovm2 PAM_pwdb[607]: (su) session closed for
user news
Nov 16 15:35:59 ovm2 PAM_pwdb[453]: (su) session closed for
user root
Nov 16 15:36:07 ovm2 PAM_pwdb[401]: (login) session closed
for user ericdean
Nov 16 16:01:00 ovm2 PAM_pwdb[645]: (su) session opened for
user news by (uid=9)
Nov 16 16:01:00 ovm2 PAM_pwdb[645]: (su) session closed for
user news
Nov 16 17:01:00 ovm2 PAM_pwdb[680]: (su) session opened for
user news by (uid=9)
Nov 16 17:01:00 ovm2 PAM_pwdb[680]: (su) session closed for
user news
Nov 16 18:01:00 ovm2 PAM_pwdb[715]: (su) session opened for
user news by (uid=9)
Nov 16 18:01:00 ovm2 PAM_pwdb[715]: (su) session closed for
user news
Nov 16 19:01:00 ovm2 PAM_pwdb[750]: (su) session opened for
user news by (uid=9)
Nov 16 19:01:00 ovm2 PAM_pwdb[750]: (su) session closed for
user news
Nov 16 20:01:01 ovm2 PAM_pwdb[785]: (su) session opened for
user news by (uid=9)
Nov 16 20:01:01 ovm2 PAM_pwdb[785]: (su) session closed for
user news
Nov 16 21:01:00 ovm2 PAM_pwdb[820]: (su) session opened for
user news by (uid=9)
Nov 16 21:01:01 ovm2 PAM_pwdb[820]: (su) session closed for
user news
Nov 16 21:17:02 ovm2 PAM_pwdb[852]: (login) session opened
for user ericdean by (uid=0)
Nov 16 21:17:02 ovm2 login[852]: LOGIN ON ttyp0 BY ericdean
FROM dial22.icwest.avalon.net
Nov 16 21:26:41 ovm2 PAM_pwdb[852]: (login) session closed
for user ericdean
Nov 16 22:01:00 ovm2 PAM_pwdb[877]: (su) session opened for
user news by (uid=9)
Nov 16 22:01:00 ovm2 PAM_pwdb[877]: (su) session closed for
user news
Nov 16 22:56:03 ovm2 PAM_pwdb[910]: (login) session opened
for user ericdean by (uid=0)
Nov 16 22:56:03 ovm2 login[910]: LOGIN ON ttyp0 BY ericdean
FROM 192.48.32.179
Nov 16 23:01:00 ovm2 PAM_pwdb[926]: (su) session opened for
user news by (uid=9)
Nov 16 23:01:00 ovm2 PAM_pwdb[926]: (su) session closed for
user news
Nov 17 00:01:00 ovm2 PAM_pwdb[963]: (su) session opened for
user news by (uid=9)
Nov 17 00:01:00 ovm2 PAM_pwdb[963]: (su) session closed for
user news
Nov 17 00:11:19 ovm2 identd[998]: from: 128.255.1.36 (
moon.uiowa.edu ) for: 1025, 25
Nov 17 00:11:19 ovm2 identd[998]: Successful lookup: 1025 ,
25 : ericdean.ericdean
Nov 17 01:01:00 ovm2 PAM_pwdb[1003]: (su) session opened for
user news by (uid=9)
Nov 17 01:01:00 ovm2 PAM_pwdb[1003]: (su) session closed for
user news
Nov 17 02:01:00 ovm2 PAM_pwdb[1038]: (su) session opened for
user news by (uid=9)
Nov 17 02:01:01 ovm2 PAM_pwdb[1038]: (su) session closed for
user news
Nov 17 03:01:00 ovm2 PAM_pwdb[1073]: (su) session opened for
user news by (uid=9)
Nov 17 03:01:00 ovm2 PAM_pwdb[1073]: (su) session closed for
user news
Nov 17 04:01:00 ovm2 PAM_pwdb[1108]: (su) session opened for
user news by (uid=9)
Nov 17 04:01:00 ovm2 PAM_pwdb[1108]: (su) session closed for
user news
Nov 17 04:02:00 ovm2 PAM_pwdb[1142]: (su) session opened for
user news by (uid=9)
Nov 17 04:02:32 ovm2 rnews[1288]: rejected connection What
server?
Nov 17 04:02:32 ovm2 PAM_pwdb[1142]: (su) session closed for
user news
Nov 17 04:02:32 ovm2 rnews[1293]: rejected connection What
server?
Nov 17 04:02:33 ovm2 PAM_pwdb[1304]: (su) session opened for
user nobody by (uid=99)
Nov 17 04:03:47 ovm2 PAM_pwdb[1304]: (su) session closed for
user nobody
Nov 17 05:01:00 ovm2 PAM_pwdb[1349]: (su) session opened for
user news by (uid=9)
Nov 17 05:01:01 ovm2 PAM_pwdb[1349]: (su) session closed for
user news
Nov 17 06:01:00 ovm2 PAM_pwdb[1384]: (su) session opened for
user news by (uid=9)
Nov 17 06:01:00 ovm2 PAM_pwdb[1384]: (su) session closed for
user news
Nov 17 07:01:00 ovm2 PAM_pwdb[1419]: (su) session opened for
user news by (uid=9)
Nov 17 07:01:00 ovm2 PAM_pwdb[1419]: (su) session closed for
user news
Nov 17 08:01:00 ovm2 PAM_pwdb[1454]: (su) session opened for
user news by (uid=9)
Nov 17 08:01:00 ovm2 PAM_pwdb[1454]: (su) session closed for
user news
Nov 17 09:01:00 ovm2 PAM_pwdb[1489]: (su) session opened for
user news by (uid=9)
Nov 17 09:01:00 ovm2 PAM_pwdb[1489]: (su) session closed for
user news
Nov 17 10:01:00 ovm2 PAM_pwdb[1524]: (su) session opened for
user news by (uid=9)
Nov 17 10:01:00 ovm2 PAM_pwdb[1524]: (su) session closed for
user news
Nov 17 11:01:00 ovm2 PAM_pwdb[1559]: (su) session opened for
user news by (uid=9)
Nov 17 11:01:01 ovm2 PAM_pwdb[1559]: (su) session closed for
user news
Nov 17 12:01:00 ovm2 PAM_pwdb[1594]: (su) session opened for
user news by (uid=9)
Nov 17 12:01:00 ovm2 PAM_pwdb[1594]: (su) session closed for
user news
Nov 17 13:01:00 ovm2 PAM_pwdb[1629]: (su) session opened for
user news by (uid=9)
Nov 17 13:01:00 ovm2 PAM_pwdb[1629]: (su) session closed for
user news
Nov 17 14:01:00 ovm2 PAM_pwdb[1664]: (su) session opened for
user news by (uid=9)
Nov 17 14:01:00 ovm2 PAM_pwdb[1664]: (su) session closed for
user news
Nov 17 15:01:00 ovm2 PAM_pwdb[1699]: (su) session opened for
user news by (uid=9)
Nov 17 15:01:00 ovm2 PAM_pwdb[1699]: (su) session closed for
user news
Nov 17 16:01:00 ovm2 PAM_pwdb[1734]: (su) session opened for
user news by (uid=9)
Nov 17 16:01:01 ovm2 PAM_pwdb[1734]: (su) session closed for
user news
Nov 17 17:01:00 ovm2 PAM_pwdb[1769]: (su) session opened for
user news by (uid=9)
Nov 17 17:01:00 ovm2 PAM_pwdb[1769]: (su) session closed for
user news
Nov 17 18:01:00 ovm2 PAM_pwdb[1804]: (su) session opened for
user news by (uid=9)
Nov 17 18:01:00 ovm2 PAM_pwdb[1804]: (su) session closed for
user news
Nov 17 19:01:00 ovm2 PAM_pwdb[1839]: (su) session opened for
user news by (uid=9)
Nov 17 19:01:00 ovm2 PAM_pwdb[1839]: (su) session closed for
user news
Nov 17 20:01:00 ovm2 PAM_pwdb[1874]: (su) session opened for
user news by (uid=9)
Nov 17 20:01:00 ovm2 PAM_pwdb[1874]: (su) session closed for
user news
Nov 17 21:01:00 ovm2 PAM_pwdb[1909]: (su) session opened for
user news by (uid=9)
Nov 17 21:01:00 ovm2 PAM_pwdb[1909]: (su) session closed for
user news
Nov 17 22:01:00 ovm2 PAM_pwdb[1944]: (su) session opened for
user news by (uid=9)
Nov 17 22:01:01 ovm2 PAM_pwdb[1944]: (su) session closed for
user news
Nov 17 23:01:00 ovm2 PAM_pwdb[1979]: (su) session opened for
user news by (uid=9)
Nov 17 23:01:00 ovm2 PAM_pwdb[1979]: (su) session closed for
user news
Nov 18 00:01:00 ovm2 PAM_pwdb[2014]: (su) session opened for
user news by (uid=9)
Nov 18 00:01:00 ovm2 PAM_pwdb[2014]: (su) session closed for
user news
Nov 18 01:01:00 ovm2 PAM_pwdb[2049]: (su) session opened for
user news by (uid=9)
Nov 18 01:01:00 ovm2 PAM_pwdb[2049]: (su) session closed for
user news
Nov 18 02:01:00 ovm2 PAM_pwdb[2084]: (su) session opened for
user news by (uid=9)
Nov 18 02:01:00 ovm2 PAM_pwdb[2084]: (su) session closed for
user news
Nov 18 03:01:01 ovm2 PAM_pwdb[2119]: (su) session opened for
user news by (uid=9)
Nov 18 03:01:01 ovm2 PAM_pwdb[2119]: (su) session closed for
user news
Nov 18 04:01:00 ovm2 PAM_pwdb[2154]: (su) session opened for
user news by (uid=9)
Nov 18 04:01:01 ovm2 PAM_pwdb[2154]: (su) session closed for
user news
Nov 18 04:02:01 ovm2 PAM_pwdb[2188]: (su)session opened for
user news by (uid=9)
Nov 18 04:02:32 ovm2 rnews[2334]: rejected connection What
server?
Nov 18 04:02:32 ovm2 PAM_pwdb[2188]: (su) session closed for
user news
Nov 18 04:02:32 ovm2 rnews[2336]: rejected connection What
server?
Nov 18 04:02:32 ovm2 PAM_pwdb[2350]: (su) session opened for
user nobody by (uid=99)
Nov 18 04:03:43 ovm2 PAM_pwdb[2350]: (su) session closed for
user nobody
Nov 18 05:01:00 ovm2 PAM_pwdb[2395]: (su) session opened for
user news by (uid=9)
Nov 18 05:01:01 ovm2 PAM_pwdb[2395]: (su) session closed for
user news
Nov 18 06:01:00 ovm2 PAM_pwdb[2430]: (su) session opened for
user news by (uid=9)
Nov 18 06:01:00 ovm2 PAM_pwdb[2430]: (su) session closed for
user news
Nov 18 07:01:00 ovm2 PAM_pwdb[2465]: (su) session opened for
user news by (uid=9)
Nov 18 07:01:00 ovm2 PAM_pwdb[2465]: (su) session closed for
user news
Nov 18 08:01:00 ovm2 PAM_pwdb[2500]: (su) session opened for
user news by (uid=9)
Nov 18 08:01:00 ovm2 PAM_pwdb[2500]: (su) session closed for
user news
Nov 18 09:01:00 ovm2 PAM_pwdb[2535]: (su) session opened for
user news by (uid=9)
Nov 18 09:01:00 ovm2 PAM_pwdb[2535]: (su) session closed for
user news
Nov 18 10:01:00 ovm2 PAM_pwdb[2570]: (su) session opened for
user news by (uid=9)
Nov 18 10:01:01 ovm2 PAM_pwdb[2570]: (su) session closed for
user news
Nov 18 11:01:00 ovm2 PAM_pwdb[2605]: (su) session opened for
user news by (uid=9)
Nov 18 11:01:00 ovm2 PAM_pwdb[2605]: (su) session closed for
user news
Nov 18 12:01:00 ovm2 PAM_pwdb[2640]: (su) session opened for
user news by (uid=9)
Nov 18 12:01:00 ovm2 PAM_pwdb[2640]: (su) session closed for
user news
Nov 18 13:01:00 ovm2 PAM_pwdb[2675]: (su) session opened for
user news by (uid=9)
Nov 18 13:01:00 ovm2 PAM_pwdb[2675]: (su) session closed for
user news
Nov 18 14:01:00 ovm2 PAM_pwdb[2710]: (su) session opened for
user news by (uid=9)
Nov 18 14:01:00 ovm2 PAM_pwdb[2710]: (su) session closed for
user news
Nov 18 15:01:00 ovm2 PAM_pwdb[2746]: (su) session opened for
user news by (uid=9)
Nov 18 15:01:00 ovm2 PAM_pwdb[2746]: (su) session closed for
user news
Nov 18 16:01:00 ovm2 PAM_pwdb[2781]: (su) session opened for
user news by (uid=9)
Nov 18 16:01:01 ovm2 PAM_pwdb[2781]: (su) session closed for
user news
Nov 18 17:01:00 ovm2 PAM_pwdb[2816]: (su) session opened for
user news by (uid=9)
Nov 18 17:01:00 ovm2 PAM_pwdb[2816]: (su) session closed for
user news
Nov 18 18:01:00 ovm2 PAM_pwdb[2851]: (su) session opened for
user news by (uid=9)
Nov 18 18:01:00 ovm2 PAM_pwdb[2851]: (su) session closed for
user news
Nov 18 19:01:00 ovm2 PAM_pwdb[2886]: (su) session opened for
user news by (uid=9)
Nov 18 19:01:00 ovm2 PAM_pwdb[2886]: (su) session closed for
user news
Nov 18 20:01:00 ovm2 PAM_pwdb[2921]: (su) session opened for
user news by (uid=9)
Nov 18 20:01:00 ovm2 PAM_pwdb[2921]: (su) session closed for
user news
Nov 18 21:01:00 ovm2 PAM_pwdb[2956]: (su) session opened for
user news by (uid=9)
Nov 18 21:01:01 ovm2 PAM_pwdb[2956]: (su) session closed for
user news
Nov 18 22:01:00 ovm2 PAM_pwdb[2991]: (su) session opened for
user news by (uid=9)
Nov 18 22:01:00 ovm2 PAM_pwdb[2991]: (su) session closed for
user news
Nov 18 23:01:00 ovm2 PAM_pwdb[3026]: (su) session opened for
user news by (uid=9)
Nov 18 23:01:00 ovm2 PAM_pwdb[3026]: (su) session closed for
user news
Nov 19 00:01:00 ovm2 PAM_pwdb[3061]: (su) session opened for
user news by (uid=9)
Nov 19 00:01:00 ovm2 PAM_pwdb[3061]: (su) session closed for
user news
Nov 19 01:01:00 ovm2 PAM_pwdb[3096]: (su) session opened for
user news by (uid=9)
Nov 19 01:01:00 ovm2 PAM_pwdb[3096]: (su) session closed for
user news
Nov 19 02:01:00 ovm2 PAM_pwdb[3131]: (su) session opened for
user news by (uid=9)
Nov 19 02:01:00 ovm2 PAM_pwdb[3131]: (su) session closed for
user news
Nov 19 03:01:00 ovm2 PAM_pwdb[3166]: (su) session opened for
user news by (uid=9)
Nov 19 03:01:01 ovm2 PAM_pwdb[3166]: (su) session closed for
user news
Nov 19 04:01:00 ovm2 PAM_pwdb[3201]: (su) session opened for
user news by (uid=9)
Nov 19 04:01:00 ovm2 PAM_pwdb[3201]: (su) session closed for
user news
Nov 19 04:02:00 ovm2 PAM_pwdb[3235]: (su) session opened for
user news by (uid=9)
Nov 19 04:02:31 ovm2 rnews[3381]: rejected connection What
server?
Nov 19 04:02:31 ovm2 PAM_pwdb[3235]: (su) session closed for
user news
Nov 19 04:02:31 ovm2 rnews[3383]: rejected connection What
server?
Nov 19 04:02:32 ovm2 PAM_pwdb[3397]: (su) session opened for
user nobody by (uid=99)
Nov 19 04:03:40 ovm2 PAM_pwdb[3397]: (su) session closed for
user nobody
Nov 19 05:01:00 ovm2 PAM_pwdb[3442]: (su) session opened for
user news by (uid=9)
Nov 19 05:01:00 ovm2 PAM_pwdb[3442]: (su) session closed for
user news
Nov 19 06:01:00 ovm2 PAM_pwdb[3477]: (su) session opened for
user news by (uid=9)
Nov 19 06:01:00 ovm2 PAM_pwdb[3477]: (su) session closed for
user news
Nov 19 07:01:00 ovm2 PAM_pwdb[3512]: (su) session opened for
user news by (uid=9)
Nov 19 07:01:00 ovm2 PAM_pwdb[3512]: (su) session closed for
user news
Nov 19 08:01:01 ovm2 PAM_pwdb[3547]: (su) session opened for
user news by (uid=9)
Nov 19 08:01:01 ovm2 PAM_pwdb[3547]: (su) session closed for
user news
Nov 19 09:01:00 ovm2 PAM_pwdb[3582]: (su) session opened for
user news by (uid=9)
Nov 19 09:01:01 ovm2 PAM_pwdb[3582]: (su) session closed for
user news
Nov 19 09:11:10 ovm2 /sbin/mingetty[640]: tty1: invalid
character ^[ in login name
Nov 19 10:01:00 ovm2 PAM_pwdb[3618]: (su) session opened for
user news by (uid=9)
Nov 19 10:01:00 ovm2 PAM_pwdb[3618]: (su) session closed for
user news
Nov 19 11:01:00 ovm2 PAM_pwdb[3653]: (su) session opened for
user news by (uid=9)
Nov 19 11:01:00 ovm2 PAM_pwdb[3653]: (su) session closed for
user news
Nov 19 12:01:00 ovm2 PAM_pwdb[3688]: (su) session opened for
user news by (uid=9)
Nov 19 12:01:00 ovm2 PAM_pwdb[3688]: (su) session closed for
user news
Nov 19 13:01:00 ovm2 PAM_pwdb[3723]: (su) session opened for
user news by (uid=9)
Nov 19 13:01:00 ovm2 PAM_pwdb[3723]: (su) session closed for
user news
Nov 19 14:01:00 ovm2 PAM_pwdb[3763]: (su) session opened for
user news by (uid=9)
Nov 19 14:01:01 ovm2 PAM_pwdb[3763]: (su) session closed for
user news
Nov 19 14:20:32 ovm2 PAM_pwdb[3795]: (login) session opened
for user ericdean by (uid=0)
Nov 19 14:20:32 ovm2 login[3795]: LOGIN ON ttyp0 BY ericdean
FROM dial7.icwest.avalon.net
Nov 19 14:24:37 ovm2 PAM_pwdb[3810]: 1 authentication
failure; ericdean(uid=500) -> root for su service
Nov 19 14:24:44 ovm2 PAM_pwdb[3811]: (su) session opened for
user root by ericdean(uid=0)
Nov 19 14:33:46 ovm2 PAM_pwdb[3811]: (su) session closed for
user root
Nov 19 14:37:04 ovm2 PAM_pwdb[3795]: (login) session closed
for user ericdean
Nov 19 15:01:00 ovm2 PAM_pwdb[3836]: (su) session opened for
user news by (uid=9)
Nov 19 15:01:00 ovm2 PAM_pwdb[3836]: (su) session closed for
user news
Nov 19 16:01:00 ovm2 PAM_pwdb[3871]: (su) session opened for
user news by (uid=9)
Nov 19 16:01:00 ovm2 PAM_pwdb[3871]: (su) session closed for
user news
Nov 19 17:01:00 ovm2 PAM_pwdb[3906]: (su) session opened for
user news by (uid=9)
Nov 19 17:01:00 ovm2 PAM_pwdb[3906]: (su) session closed for
user news
Nov 19 18:01:00 ovm2 PAM_pwdb[3941]: (su) session opened for
user news by (uid=9)
Nov 19 18:01:00 ovm2 PAM_pwdb[3941]: (su) session closed for
user news
Nov 19 19:01:00 ovm2 PAM_pwdb[3976]: (su) session opened for
user news by (uid=9)
Nov 19 19:01:00 ovm2 PAM_pwdb[3976]: (su) session closed for
user news
Nov 19 20:01:00 ovm2 PAM_pwdb[4011]: (su) session opened for
user news by (uid=9)
Nov 19 20:01:01 ovm2 PAM_pwdb[4011]: (su) session closed for
user news
Nov 19 21:01:00 ovm2 PAM_pwdb[4046]: (su) session opened for
user news by (uid=9)
Nov 19 21:01:00 ovm2 PAM_pwdb[4046]: (su) session closed for
user news
Nov 19 22:01:00 ovm2 PAM_pwdb[4081]: (su) session opened for
user news by (uid=9)
Nov 19 22:01:00 ovm2 PAM_pwdb[4081]: (su) session closed for
user news
Nov 19 23:01:00 ovm2 PAM_pwdb[4116]: (su) session opened for
user news by (uid=9)
Nov 19 23:01:00 ovm2 PAM_pwdb[4116]: (su) session closed for
user news
Nov 20 00:01:00 ovm2 PAM_pwdb[4151]: (su) session opened for
user news by (uid=9)
Nov 20 00:01:00 ovm2 PAM_pwdb[4151]: (su) session closed for
user news
Nov 20 01:01:00 ovm2 PAM_pwdb[4186]: (su) session opened for
user news by (uid=9)
Nov 20 01:01:01 ovm2 PAM_pwdb[4186]: (su) session closed for
user news
Nov 20 02:01:00 ovm2 PAM_pwdb[4221]: (su) session opened for
user news by (uid=9)
Nov 20 02:01:00 ovm2 PAM_pwdb[4221]: (su) session closed for
user news
Nov 20 03:01:00 ovm2 PAM_pwdb[4256]: (su) session opened for
user news by (uid=9)
Nov 20 03:01:00 ovm2 PAM_pwdb[4256]: (su) session closed for
user news
Nov 20 04:01:00 ovm2 PAM_pwdb[4291]: (su) session opened for
user news by (uid=9)
Nov 20 04:01:00 ovm2 PAM_pwdb[4291]: (su) session closed for
user news
Nov 20 04:02:00 ovm2 PAM_pwdb[4325]: (su) session opened for
user news by (uid=9)
Nov 20 04:02:31 ovm2 rnews[4471]: rejected connection What
server?
Nov 20 04:02:31 ovm2 PAM_pwdb[4325]: (su) session closed for
user news
Nov 20 04:02:31 ovm2 rnews[4473]: rejected connection What
server?
Nov 20 04:02:31 ovm2 PAM_pwdb[4487]: (su) session opened for
user nobody by (uid=99)
Nov 20 04:03:07 ovm2 PAM_pwdb[4487]: (su) session closed for
user nobody
Nov 20 05:01:00 ovm2 PAM_pwdb[4532]: (su) session opened for
user news by (uid=9)
Nov 20 05:01:01 ovm2 PAM_pwdb[4532]: (su) session closed for
user news
Nov 20 06:01:00 ovm2 PAM_pwdb[4567]: (su) session opened for
user news by (uid=9)
Nov 20 06:01:00 ovm2 PAM_pwdb[4567]: (su) session closed for
user news
Nov 20 07:01:00 ovm2 PAM_pwdb[4602]: (su) session opened for
user news by (uid=9)
Nov 20 07:01:00 ovm2 PAM_pwdb[4602]: (su) session closed for
user news
Nov 20 08:01:00 ovm2 PAM_pwdb[4637]: (su) session opened for
user news by (uid=9)
Nov 20 08:01:00 ovm2 PAM_pwdb[4637]: (su) session closed for
user news
Nov 20 09:01:00 ovm2 PAM_pwdb[4672]: (su) session opened for
user news by (uid=9)
Nov 20 09:01:00 ovm2 PAM_pwdb[4672]: (su) session closed for
user news
Nov 20 10:01:00 ovm2 PAM_pwdb[4707]: (su) session opened for
user news by (uid=9)
Nov 20 10:01:01 ovm2 PAM_pwdb[4707]: (su) session closed for
user news
Nov 20 10:15:16 ovm2 PAM_pwdb[4739]: (login) session opened
for user ericdean by (uid=0)
Nov 20 10:15:16 ovm2 login[4739]: LOGIN ON ttyp0 BY ericdean
FROM dial6.icwest.avalon.net
Nov 20 10:22:03 ovm2 identd[4755]: from: 128.255.1.36 (
moon.uiowa.edu ) for: 1029, 25
Nov 20 10:22:03 ovm2 identd[4755]: Successful lookup: 1029 ,
25 : ericdean.ericdean
Nov 20 11:01:00 ovm2 PAM_pwdb[4762]: (su) session opened for
user news by (uid=9)
Nov 20 11:01:00 ovm2 PAM_pwdb[4762]: (su) session closed for
user news
Nov 20 11:01:48 ovm2 /sbin/mingetty[3613]: tty1: invalid
character ^[ in login name
Nov 20 11:02:01 ovm2 PAM_pwdb[4793]: (login) session opened
for user ericdean by (uid=0)
Nov 20 11:02:01 ovm2 login[4793]: LOGIN ON tty1 BY ericdean
Nov 20 11:02:07 ovm2 PAM_pwdb[4805]: (su) session opened for
user root by ericdean(uid=0)
Nov 20 11:02:17 ovm2 PAM_pwdb[4805]: (su) session closed for
user root
Nov 20 12:01:00 ovm2 PAM_pwdb[4841]: (su) session opened for
user news by (uid=9)
Nov 20 12:01:01 ovm2 PAM_pwdb[4841]: (su) session closed for
user news
Nov 20 12:10:55 ovm2 PAM_pwdb[4872]: (su) session opened for
user root by ericdean(uid=0)
Nov 20 12:54:07 ovm2 PAM_pwdb[4872]: (su) session closed for
user root
Nov 20 12:54:17 ovm2 PAM_pwdb[4793]: (login) session closed
for user ericdean
Nov 20 13:01:00 ovm2 PAM_pwdb[4889]: (su) session opened for
user news by (uid=9)
Nov 20 13:01:00 ovm2 PAM_pwdb[4889]: (su) session closed for
user news
Nov 20 14:01:00 ovm2 PAM_pwdb[4929]: (su) session opened for
user news by (uid=9)
Nov 20 14:01:00 ovm2 PAM_pwdb[4929]: (su) session closed for
user news
Nov 20 15:01:00 ovm2 PAM_pwdb[4964]: (su) session opened for
user news by (uid=9)
Nov 20 15:01:00 ovm2 PAM_pwdb[4964]: (su) session closed for
user news
Nov 20 16:01:00 ovm2 PAM_pwdb[4999]: (su) session opened for
user news by (uid=9)
Nov 20 16:01:00 ovm2 PAM_pwdb[4999]: (su) session closed for
user news
Nov 20 17:01:00 ovm2 PAM_pwdb[5034]: (su) session opened for
user news by (uid=9)
Nov 20 17:01:01 ovm2 PAM_pwdb[5034]: (su) session closed for
user news
Nov 20 18:01:00 ovm2 PAM_pwdb[5069]: (su) session opened for
user news by (uid=9)
Nov 20 18:01:00 ovm2 PAM_pwdb[5069]: (su) session closed for
user news
Nov 20 19:01:00 ovm2 PAM_pwdb[5104]: (su) session opened for
user news by (uid=9)
Nov 20 19:01:00 ovm2 PAM_pwdb[5104]: (su) session closed for
user news
Nov 20 20:01:00 ovm2 PAM_pwdb[5139]: (su) session opened for
user news by (uid=9)
Nov 20 20:01:00 ovm2 PAM_pwdb[5139]: (su) session closed for
user news
Nov 20 21:01:00 ovm2 PAM_pwdb[5174]: (su) session opened for
user news by (uid=9)
Nov 20 21:01:00 ovm2 PAM_pwdb[5174]: (su) session closed for
user news
Nov 20 22:01:01 ovm2 PAM_pwdb[5209]: (su) session opened for
user news by (uid=9)
Nov 20 22:01:01 ovm2 PAM_pwdb[5209]: (su) session closed for
user news
Nov 20 23:01:00 ovm2 PAM_pwdb[5244]: (su) session opened for
user news by (uid=9)
Nov 20 23:01:01 ovm2 PAM_pwdb[5244]: (su) session closed for
user news
Nov 21 00:01:00 ovm2 PAM_pwdb[5279]: (su) session opened for
user news by (uid=9)
Nov 21 00:01:00 ovm2 PAM_pwdb[5279]: (su) session closed for
user news
Nov 21 01:01:00 ovm2 PAM_pwdb[5314]: (su) session opened for
user news by (uid=9)
Nov 21 01:01:00 ovm2 PAM_pwdb[5314]: (su) session closed for
user news
Nov 21 02:01:00 ovm2 PAM_pwdb[5349]: (su) session opened for
user news by (uid=9)
Nov 21 02:01:00 ovm2 PAM_pwdb[5349]: (su) session closed for
user news
Nov 21 03:01:00 ovm2 PAM_pwdb[5384]: (su) session opened for
user news by (uid=9)
Nov 21 03:01:00 ovm2 PAM_pwdb[5384]: (su) session closed for
user news
Nov 21 04:01:00 ovm2 PAM_pwdb[5419]: (su) session opened for
user news by (uid=9)
Nov 21 04:01:01 ovm2 PAM_pwdb[5419]: (su) session closed for
user news
Nov 21 04:02:01 ovm2 PAM_pwdb[5453]: (su) session opened for
user news by (uid=9)
Nov 21 04:02:32 ovm2 rnews[5600]: rejected connection What
server?
Nov 21 04:02:32 ovm2 PAM_pwdb[5453]: (su) session closed for
user news
Nov 21 04:02:32 ovm2 rnews[5602]: rejected connection What
server?
Nov 21 04:02:33 ovm2 PAM_pwdb[5616]: (su) session opened for
user nobody by (uid=99)
Nov 21 04:03:24 ovm2 PAM_pwdb[5616]: (su) session closed for
user nobody
Nov 21 05:01:00 ovm2 PAM_pwdb[5661]: (su) session opened for
user news by (uid=9)
Nov 21 05:01:01 ovm2 PAM_pwdb[5661]: (su) session closed for
user news
Nov 21 06:01:00 ovm2 PAM_pwdb[5696]: (su) session opened for
user news by (uid=9)
Nov 21 06:01:00 ovm2 PAM_pwdb[5696]: (su) session closed for
user news
Nov 21 07:01:00 ovm2 PAM_pwdb[5731]: (su) session opened for
user news by (uid=9)
Nov 21 07:01:00 ovm2 PAM_pwdb[5731]: (su) session closed for
user news
Nov 21 08:01:00 ovm2 PAM_pwdb[5766]: (su) session opened for
user news by (uid=9)
Nov 21 08:01:00 ovm2 PAM_pwdb[5766]: (su) session closed for
user news
Nov 21 09:01:00 ovm2 PAM_pwdb[5801]: (su) session opened for
user news by (uid=9)
Nov 21 09:01:00 ovm2 PAM_pwdb[5801]: (su) session closed for
user news
Nov 21 10:01:00 ovm2 PAM_pwdb[5836]: (su) session opened for
user news by (uid=9)
Nov 21 10:01:00 ovm2 PAM_pwdb[5836]: (su) session closed for
user news
Nov 21 11:01:00 ovm2 PAM_pwdb[5871]: (su) session opened for
user news by (uid=9)
Nov 21 11:01:01 ovm2 PAM_pwdb[5871]: (su) session closed for
user news
Nov 21 12:01:00 ovm2 PAM_pwdb[5906]: (su) session opened for
user news by (uid=9)
Nov 21 12:01:00 ovm2 PAM_pwdb[5906]: (su) session closed for
user news
Nov 21 13:01:00 ovm2 PAM_pwdb[5941]: (su) session opened for
user news by (uid=9)
Nov 21 13:01:00 ovm2 PAM_pwdb[5941]: (su) session closed for
user news
Nov 21 14:01:00 ovm2 PAM_pwdb[5976]: (su) session opened for
user news by (uid=9)
Nov 21 14:01:00 ovm2 PAM_pwdb[5976]: (su) session closed for
user news
Nov 21 15:01:00 ovm2 PAM_pwdb[6011]: (su) session opened for
user news by (uid=9)
Nov 21 15:01:00 ovm2 PAM_pwdb[6011]: (su) session closed for
user news
Nov 21 16:01:00 ovm2 PAM_pwdb[6046]: (su) session opened for
user news by (uid=9)
Nov 21 16:01:01 ovm2 PAM_pwdb[6046]: (su) session closed for
user news
Nov 21 16:35:32 ovm2 telnetd[6077]: ttloop:  peer died:
Invalid or incomplete multibyte or wide character
Nov 21 16:49:37 ovm2 mountd[300]: Unauthorized access by NFS
client 207.217.235.191.
Nov 21 16:49:37 ovm2 syslogd: Cannot glue message parts
together
Nov 21 16:49:37 ovm2 mountd[300]: Blocked attempt of
207.217.235.191 to mount ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^!
!
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Nov 21 16:49:37 ovm2 ^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H
Nov 21 16:51:33 ovm2 PAM_pwdb[6092]: (login) session opened
for user mobb by (uid=0)
Nov 21 16:51:33 ovm2 login[6092]: LOGIN ON ttyp0 BY mobb FROM
pool041-max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:51:36 ovm2 PAM_pwdb[6104]: (su) session opened for
user jeremy by mobb(uid=0)
Nov 21 16:55:27 ovm2 mountd[6086]: Unauthorized access by NFS
client 207.217.235.191.
Nov 21 16:55:27 ovm2 syslogd: Cannot glue message parts
together
Nov 21 16:55:27 ovm2 mountd[6086]: Blocked attempt of
207.217.235.191 to mount ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P!
!
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Nov 21 16:55:27 ovm2 (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H
Nov 21 16:55:40 ovm2 kernel: eth0: Setting promiscuous mode.
Nov 21 16:55:40 ovm2 kernel: eth0: Setting promiscuous mode.
Nov 21 16:55:42 ovm2 PAM_pwdb[6104]: (su) session closed for
user jeremy
Nov 21 16:55:43 ovm2 PAM_pwdb[6092]: (login) session closed
for user mobb
Nov 21 16:58:52 ovm2 mountd[6191]: Unauthorized access by NFS
client 207.217.235.191.
Nov 21 17:01:00 ovm2 PAM_pwdb[6215]: (su) session opened for
user news by (uid=9)
Nov 21 17:01:01 ovm2 PAM_pwdb[6215]: (su) session closed for
user news
Nov 21 18:01:00 ovm2 PAM_pwdb[6250]: (su) session opened for
user news by (uid=9)
Nov 21 18:01:01 ovm2 PAM_pwdb[6250]: (su) session closed for
user news
Nov 21 19:01:00 ovm2 PAM_pwdb[6285]: (su) session opened for
user news by (uid=9)
Nov 21 19:01:00 ovm2 PAM_pwdb[6285]: (su) session closed for
user news
Nov 21 19:36:59 ovm2 identd[6334]: from: 209.178.2.209 (
pool009-max7.ds8-ca-us.dialup.earthlink.net ) for: 1104, 21
Nov 21 19:36:59 ovm2 identd[6334]: Successful lookup: 1104 ,
21 : root.root
Nov 21 19:40:23 ovm2 identd[6338]: from: 209.178.2.209 (
pool009-max7.ds8-ca-us.dialup.earthlink.net ) for: 1109, 21
Nov 21 19:40:23 ovm2identd[6338]: Successful lookup: 1109 ,
21 : root.root
Nov 21 19:43:54 ovm2 identd[6346]: from: 209.178.2.209 (
pool009-max7.ds8-ca-us.dialup.earthlink.net ) for: 1116, 21
Nov 21 19:43:54 ovm2 identd[6346]: Successful lookup: 1116 ,
21 : root.root
Nov 21 20:01:00 ovm2 PAM_pwdb[6405]: (su) session opened for
user news by (uid=9)
Nov 21 20:01:00 ovm2 PAM_pwdb[6405]: (su) session closed for
user news
Nov 21 21:01:00 ovm2 PAM_pwdb[6465]: (su) session opened for
user news by (uid=9)
Nov 21 21:01:00 ovm2 PAM_pwdb[6465]: (su) session closed for
user news
Nov 21 21:18:55 ovm2 identd[6502]: from: 209.178.2.209 (
pool009-max7.ds8-ca-us.dialup.earthlink.net ) for: 1169, 21
Nov 21 21:18:55 ovm2 identd[6502]: Successful lookup: 1169 ,
21 : root.root
Nov 21 22:01:00 ovm2 PAM_pwdb[6563]: (su) session opened for
user news by (uid=9)
Nov 21 22:01:01 ovm2 PAM_pwdb[6563]: (su) session closed for
user news
Nov 21 23:01:00 ovm2 PAM_pwdb[6598]: (su) session opened for
user news by (uid=9)
Nov 21 23:01:01 ovm2 PAM_pwdb[6598]: (su) session closed for
user news
Nov 21 23:46:52 ovm2 identd[6646]: from: 209.178.2.209 (
pool009-max7.ds8-ca-us.dialup.earthlink.net ) for: 1171, 21
Nov 21 23:46:52 ovm2 identd[6646]: Successful lookup: 1171 ,
21 : root.root
Nov 21 23:50:05 ovm2 PAM_pwdb[6662]: (su) session opened for
user nobody by (uid=99)
Nov 21 23:51:38 ovm2 PAM_pwdb[6662]: (su) session closed for
user nobody
Nov 21 23:51:42 ovm2 identd[6669]: from: 209.127.0.66 (
ircd.c-com.net ) for: 1173, 6667
Nov 21 23:51:42 ovm2 identd[6669]: Successful lookup: 1173 ,
6667 : nobody.nobody
Nov 22 00:01:00 ovm2 PAM_pwdb[6674]: (su) session opened for
user news by (uid=9)
Nov 22 00:01:01 ovm2 PAM_pwdb[6674]: (su) session closed for
user news
Nov 22 00:40:28 ovm2 telnetd[6707]: ttloop:  peer died:
Invalid or incomplete multibyte or wide character
Nov 22 00:50:20 ovm2 telnetd[6708]: ttloop:  peer died:
Invalid or incomplete multibyte or wide character
Nov 22 01:01:00 ovm2 PAM_pwdb[6713]: (su) session opened for
user news by (uid=9)
Nov 22 01:01:00 ovm2 PAM_pwdb[6713]: (su) session closed for
user news
Nov 22 01:20:09 ovm2 identd[6746]: from: 206.251.7.30 (
irc.Prison.NET ) for: 1174, 6667
Nov 22 01:20:09 ovm2 identd[6746]: Successful lookup: 1174 ,
6667 : nobody.nobody
Nov 22 01:48:49 ovm2 identd[6748]: from: 207.154.148.66 (
irc-2.ais.net ) for: 1175, 6667
Nov 22 01:48:49 ovm2 identd[6748]: Successful lookup: 1175 ,
6667 : nobody.nobody
Nov 22 01:49:31 ovm2 identd[6750]: from: 207.154.148.66 (
irc-2.ais.net ) for: 1179, 6667
Nov 22 01:49:31 ovm2 identd[6750]: Successful lookup: 1179 ,
6667 : nobody.nobody
Nov 22 02:01:00 ovm2 PAM_pwdb[6755]: (su) session opened for
user news by (uid=9)
Nov 22 02:01:00 ovm2 PAM_pwdb[6755]: (su) session closed for
user news
Nov 22 03:01:00 ovm2 PAM_pwdb[6790]: (su) session opened for
user news by (uid=9)
Nov 22 03:01:00 ovm2 PAM_pwdb[6790]: (su) session closed for
user news
Nov 22 04:01:00 ovm2 PAM_pwdb[6825]: (su) session opened for
user news by (uid=9)
Nov 22 04:01:00 ovm2 PAM_pwdb[6825]: (su) session closed for
user news
Nov 22 04:02:00 ovm2 PAM_pwdb[6859]: (su) session opened for
user news by (uid=9)
Nov 22 04:02:32 ovm2 rnews[7004]: rejected connection What
server?
Nov 22 04:02:32 ovm2 PAM_pwdb[6859]: (su) session closed for
user news
Nov 22 04:02:32 ovm2 rnews[7006]: rejected connection What
server?

Comment 1 Aleksey Nogin 1998-11-24 07:51:59 UTC

IMHO, these messages:

Nov 21 16:51:33 ovm2 PAM_pwdb[6092]: (login) session opened for user
mobb by (uid=0)
Nov 21 16:51:33 ovm2 login[6092]: LOGIN ON ttyp0 BY mobb FROM
pool041-max1.ds8-ca-us.dialup.earthlink.net
Nov 21 16:51:36 ovm2 PAM_pwdb[6104]: (su) session opened for user
jeremy by mobb(uid=0)

would suggest that someone actually broke in. From the following lines

Nov 21 16:55:40 ovm2 kernel: eth0: Setting promiscuous mode.
Nov 21 16:55:40 ovm2 kernel: eth0: Setting promiscuous mode.

it would also seem that whoever broke into your machine also put your
ethernet card into promiscuous mode (it basicly means that the
intruder would see anything sent over that ethernet, even if the
compromized computer is not a source or a destination) and probably
tried to listen for passwords that way.

Did you have the NFS updates (the ones that came out in the end of
August) installed?

Anyway, you may want to consider:
- reinstalling the system
- asking all people in that network to change their passwords
- be quicker in installing security updates next time.

Comment 2 Preston Brown 1998-11-24 16:46:59 UTC

If you are not using

Comment 3 Preston Brown 1998-11-24 16:48:59 UTC

If you are not using the latest NFS errata packages, you need to be.

nfs-server-2.2beta29-7.i386.rpm
nfs-server-clients-2.2beta29-7.i386.rpm

from updates.redhat.com.  Please re-open this bug if you are using
these versions when the break-in occurred.

Note You need to log in before you can comment on or make changes to this bug.