Bug 644 - Unauthorized login: cigna
Unauthorized login: cigna
Product: Red Hat Linux
Classification: Retired
Component: netkit-base (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 1998-12-29 00:11 EST by edge
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1998-12-29 13:44:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description edge 1998-12-29 00:11:18 EST
The following was found in my /var/log/messages file.

[root@has-a RedHat]# grep cigna /var/log/messages
Dec 28 16:12:01 has-a PAM_pwdb[3860]: (login) session opened
for user cigna by (uid=0)
Dec 28 16:12:01 has-a login[3860]: LOGIN ON ttyp5 BY cigna
FROM webmaxx.colo.onramp.net

However, a grep of /etc/password provided no login
of that name.

I saw no reports of this, and could not search the mailing
list archives, however I did notice another user posted to
dejanews with the same problem.

I have had to disable telnetd, as my entire system was
compromised from this.
Comment 1 David Lawrence 1998-12-29 13:44:59 EST
I would suggest contacting the sysadmin from the site mentioned in the
/var/log/messages to see if they have a record of a user by that name.
Let them know of the wrongdoing and they should take action.
I would recommend restoring from a previous backup or reinstalling
from scratch and then apply all security updates. I have not been able
to replicate the login in our test lab. Certain important system files
must have been replaced by the intruder to allow logging in by that

Note You need to log in before you can comment on or make changes to this bug.