Bug 644 - Unauthorized login: cigna
Summary: Unauthorized login: cigna
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: netkit-base
Version: 5.1
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1998-12-29 05:11 UTC by edge
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1998-12-29 18:44:45 UTC
Embargoed:

Attachments (Terms of Use)

Description edge 1998-12-29 05:11:18 UTC 
The following was found in my /var/log/messages file.

[root@has-a RedHat]# grep cigna /var/log/messages
Dec 28 16:12:01 has-a PAM_pwdb[3860]: (login) session opened
for user cigna by (uid=0)
Dec 28 16:12:01 has-a login[3860]: LOGIN ON ttyp5 BY cigna
FROM webmaxx.colo.onramp.net

However, a grep of /etc/password provided no login
of that name.

I saw no reports of this, and could not search the mailing
list archives, however I did notice another user posted to
dejanews with the same problem.

I have had to disable telnetd, as my entire system was
compromised from this.
Comment 1 David Lawrence 1998-12-29 18:44:59 UTC 
I would suggest contacting the sysadmin from the site mentioned in the
/var/log/messages to see if they have a record of a user by that name.
Let them know of the wrongdoing and they should take action.
I would recommend restoring from a previous backup or reinstalling
from scratch and then apply all security updates. I have not been able
to replicate the login in our test lab. Certain important system files
must have been replaced by the intruder to allow logging in by that
name.
Note You need to log in before you can comment on or make changes to this bug.