[CentOS] odd entries in logwatch
Venom User
wubba at ViperShells.com
Wed Mar 22 14:34:23 UTC 2006
|-----Original Message-----
|From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
|Subject: [CentOS] odd entries in logwatch
|
|
|I am concerned about these entries reported this morning in the
|logwatch from one of our servers running CentOS4-2. Before I
|invest a lot of time and effort tracking this down I wonder if
|anyone here recognizes what is going on and why these entries
|exist.
|
|These are sealed servers with no local user accounts beyond those
|needed by system and application software. Login authentication is
|primarily by SSL certificate, however ssh password logins for
|certain backdoor accounts are enabled as a fallback. There are no
|records of unexpected logins via ssh or by userids not customarily
|associated with routine maintenance. Telnet is disabled. Only
|anonymous ftp is the permitted and that service is provided by
|vsftpd. The only thing that I can bring to mind that might account
|for these records internally is that yesterday we ran "yum update"
|on this machine. Might the update account for this trace?
|
|
|> Changed users GID: mailman: 41 -> 41
|>
|> **Unmatched Entries**
|
|> usermod[25137]: change user `mailman' shell from `/sbin/nologin'
|> to `/sbin/nologin'
|
|> usermod[25150]: change user `gdm' shell from `/sbin/nologin' to
|> `/sbin/nologin'
|
|... much sendmail stuff
|
|-------------------- SSHD Begin ------------------------
|
|
|SSHD Killed: 2 Time(s)
|
|SSHD Started: 2 Time(s)
|
|Failed to bind:
| 0.0.0.0 port 22 (Address already in use) : 2 Time(s)
|
|Users logging in through sshd:
| xxxxxxx:
| inet05.hamilton.harte-lyne.ca (216.185.71.25): 1 time
|
| ---------------------- SSHD End -------------------------
|
| --------------------- vsftpd-messages Begin ------------------------
|
|
|Failed FTP Logins:
| (81.57.169.170): anonymous - 9 Time(s)
| (83.170.32.48): anonymous - 7 Time(s)
| (80.194.231.91): anonymous - 9 Time(s)
|
| ---------------------- vsftpd-messages End -------------------------
|Regards,
|Jim
Jim,
That is the result of the recent updates made available.
Automatic yum update? or manual update recently?
Brian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2946 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20060322/67137db3/attachment.bin>
More information about the CentOS
mailing list