[CentOS] Audit logs containing 28756E6B6E6F776E207573657229

Tue Jun 18 04:27:53 UTC 2013
Gregory Machin <gdm at linuxpro.co.za>

Hi.

Thank you for the response.

All I see in the /var/log/secure that ties up with these logs , based on
time stamps are lines like this  "sshd[5343]: Connection closed by
127.0.0.1"
 other than that I don't see much else.

Thanks

G



On Wed, Jun 12, 2013 at 9:40 PM, Nicolas Thierry-Mieg <
Nicolas.Thierry-Mieg at imag.fr> wrote:

>
>
> Gregory Machin wrote:
> > Hi.
> > I'm seeing a lot of entries in /var/log/audit/audit.log
> > acct=28756E6B6E6F776E207573657229 , which apparently means unknown user .
> >
> > Sample from the logs :
> > type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0
> > auid=4294967295 ses=4294967295 msg='op=login
> > acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=?
> > addr=127.0.0.1 terminal=ssh res=failed'
> >
> > How do I track down  what is causing this ? Thus far I have has not luck
> > using the pid with ps or lsof  as it seems the process has gone by the
> > time I respond to the log entries.
>
> it looks like a failed login attempt through ssh, but I would check
> /var/log/secure which may be more explicit
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>