[CentOS] odd entries in logwatch

Wed Mar 22 14:03:25 UTC 2006
James B. Byrne <ByrneJB at Harte-Lyne.ca>

I am concerned about these entries reported this morning in the 
logwatch from one of our servers running CentOS4-2.  Before I 
invest a lot of time and effort tracking this down I wonder if 
anyone here recognizes what is going on and why these entries 
exist.

These are sealed servers with no local user accounts beyond those 
needed by system and application software.  Login authentication is 
primarily by SSL certificate, however ssh password logins for 
certain backdoor accounts are enabled as a fallback.  There are no 
records of unexpected logins via ssh or by userids not customarily 
associated with routine maintenance.  Telnet is disabled.  Only 
anonymous ftp is the permitted and that service is provided by 
vsftpd. The only thing that I can bring to mind that might account 
for these records internally is that yesterday we ran "yum update" 
on this machine.  Might the update account for this trace?


> Changed users GID:    mailman: 41 -> 41
> 
> **Unmatched Entries**

> usermod[25137]: change user `mailman' shell from `/sbin/nologin'
> to `/sbin/nologin' 

> usermod[25150]: change user `gdm' shell from `/sbin/nologin' to
> `/sbin/nologin' 

... much sendmail stuff

-------------------- SSHD Begin ------------------------ 


SSHD Killed: 2 Time(s)

SSHD Started: 2 Time(s)

Failed to bind:
   0.0.0.0 port 22 (Address already in use) : 2 Time(s)

Users logging in through sshd:
   xxxxxxx:
      inet05.hamilton.harte-lyne.ca (216.185.71.25): 1 time

 ---------------------- SSHD End ------------------------- 

 --------------------- vsftpd-messages Begin ------------------------ 


Failed FTP Logins:
 (81.57.169.170): anonymous - 9 Time(s)
 (83.170.32.48): anonymous - 7 Time(s)
 (80.194.231.91): anonymous - 9 Time(s)

 ---------------------- vsftpd-messages End ------------------------- 

Please note that I am a digest subscriber, so that the favour of a 
direct copy of your reply would be great appreciated.

Regards,
Jim

--   
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3