FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-19-2012, 08:05 PM
Glenn English
 
Default pam problem

I am getting many, many entries in auth.log like these:

> /var/log/auth.log:May 17 13:31:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=
> /var/log/auth.log:May 17 13:31:20 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=
> /var/log/auth.log:May 18 03:39:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=jkhhlkjh rhost=
> /var/log/auth.log:May 18 03:39:23 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=jkhhlkjh rhost=
> /var/log/auth.log:May 18 03:40:01 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lkjklhui rhost=
> /var/log/auth.log:May 18 03:40:08 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lkjklhui rhost=
> /var/log/auth.log:May 18 03:40:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lkjklhui rhost=
> /var/log/auth.log:May 18 09:14:57 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=anonymous rhost=
> /var/log/auth.log:May 18 09:15:01 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=anonymous rhost=

Over on SDLU, I was told the empty "rhost=" looks like there is a Trojan using a
socket on my email host. I knew nothing about sockets -- not much more now. Can
anyone tell me how to find it and squash it?

I've never seen anything like this. It's not happening very fast, and I've made
sure the usernames and passwords are good, so statistically, it's going to take
quite a while to get in. But it might get lucky, so I'd like to deal with it.

I've looked with netstat, and I don't see anything suspicious. It occurs to me that it
might be a program that runs every so often, and very quickly, so it doesn't show up
in random "ps" or "top" checks.

The only thing I can think of to do is reinstall. I know that's sometimes the correct
thing to do, but that's so Windows :-) Any advice will be greatly appreciated...

BTW, Please feel free to reply to me personally; my Postfix configuration sometimes considers
bendel.debian.org to be a spammer (it doesn't find a domain for the IP).

Oh. And I'm still on lenny, so reinstalling doesn't seem like too bad an idea...

--
Glenn English
hand-wrapped from my Apple Mail




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 0F79E416-0869-4AC8-847B-F0006B82E5A1@slsware.com">http://lists.debian.org/0F79E416-0869-4AC8-847B-F0006B82E5A1@slsware.com
 

Thread Tools




All times are GMT. The time now is 06:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org