nologin: Attempted login by root on UNKNOWN

["Tuc at T-B-O-H.NET" <ml...@t-b-o-h.net>]

Hi,

	At around 1p yesterday all of a sudden I started to see some
messages out of the ordinary. I've tracked it down to happening around
the same time SA is running. 

	I syslog everything to /var/log/spool, and if I do :

 egrep 'clean |nologin' /var/log/spool | grep -v kernel

I see things like:

Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for mkasper:2005 in 7.2 seconds, 1538 bytes. 
Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for aries:2000 in 7.8 seconds, 70282 bytes. 
Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for mkasper:2005 in 2.3 seconds, 1635 bytes. 
Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for mariansb:2004 in 1.6 seconds, 11011 bytes. 
Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for mariansb:2004 in 1.4 seconds, 2251 bytes. 
Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for mariansb:2004 in 1.7 seconds, 11323 bytes. 
Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for aries:2000 in 4.4 seconds, 20370 bytes. 
Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN

	I know this sounds the usual, but I didn't change or upgrade
anything when it started.


	Any thoughts? How do I debug?

			Thanks, Tuc/TBOH

Re: nologin: Attempted login by root on UNKNOWN

[jdow <jd...@earthlink.net>]

From: "Tuc at T-B-O-H.NET" <ml...@t-b-o-h.net>
>> 
>> Recognize that you likely have two different "problems."
>> 
>> The clean simply means spamd correctly processed a message that was not
>> spam.
>>
> Right, I know. I was trying to point out that every time I had a
> clean message, I had one of those attempts... Showing it was
> related in my investigation.

It looked like the number of spamd messages didn't match the number
of nologin messages, hence my guess. {^_-}

>> The attempted login messages are some other item attempting to
>> break into your machine on the root account. I'd suspect an ssh based
>> attack.
>> 
> Actually, no, its not. SSH is closed up pretty tight, open to only
> a single box in the datacenter.
> 
> It turns out the solution to this was to put :
> 
> SHELL=/bin/sh
> 
> in the top of each users .procmailrc that ran spamc.

Ah, that would make a difference in some cases. I note that I do not
have that in the ones here and do not see the nologin messages. I
wonder what the difference is.
{^_^}

Re: nologin: Attempted login by root on UNKNOWN

["Tuc at T-B-O-H.NET" <ml...@t-b-o-h.net>]

> 
> From: "Tuc at T-B-O-H.NET" <ml...@t-b-o-h.net>
> 
> > Hi,
> >
> > At around 1p yesterday all of a sudden I started to see some
> > messages out of the ordinary. I've tracked it down to happening around
> > the same time SA is running.
> >
> > I syslog everything to /var/log/spool, and if I do :
> >
> > egrep 'clean |nologin' /var/log/spool | grep -v kernel
> >
> > I see things like:
> >
> > Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for mkasper:2005 in 
> > 7.2 seconds, 1538 bytes.
> > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for aries:2000 in 7.8 
> > seconds, 70282 bytes.
> > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for mkasper:2005 in 
> > 2.3 seconds, 1635 bytes.
> > Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for mariansb:2004 in 
> > 1.6 seconds, 11011 bytes.
> > Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for mariansb:2004 in 
> > 1.4 seconds, 2251 bytes.
> > Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for mariansb:2004 in 
> > 1.7 seconds, 11323 bytes.
> > Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN
> > Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for aries:2000 in 4.4 
> > seconds, 20370 bytes.
> > Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN
> >
> > I know this sounds the usual, but I didn't change or upgrade
> > anything when it started.
> >
> >
> > Any thoughts? How do I debug?
> 
> Recognize that you likely have two different "problems."
> 
> The clean simply means spamd correctly processed a message that was not
> spam.
>
	Right, I know. I was trying to point out that every time I had a
clean message, I had one of those attempts... Showing it was
related in my investigation.
>
> The attempted login messages are some other item attempting to
> break into your machine on the root account. I'd suspect an ssh based
> attack.
> 
	Actually, no, its not. SSH is closed up pretty tight, open to only
a single box in the datacenter.

	It turns out the solution to this was to put :

SHELL=/bin/sh

	in the top of each users .procmailrc that ran spamc.

	Thanks for the reply though.

			Tuc/TBOH

Re: nologin: Attempted login by root on UNKNOWN

[jdow <jd...@earthlink.net>]

From: "Tuc at T-B-O-H.NET" <ml...@t-b-o-h.net>

> Hi,
>
> At around 1p yesterday all of a sudden I started to see some
> messages out of the ordinary. I've tracked it down to happening around
> the same time SA is running.
>
> I syslog everything to /var/log/spool, and if I do :
>
> egrep 'clean |nologin' /var/log/spool | grep -v kernel
>
> I see things like:
>
> Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for mkasper:2005 in 
> 7.2 seconds, 1538 bytes.
> Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for aries:2000 in 7.8 
> seconds, 70282 bytes.
> Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for mkasper:2005 in 
> 2.3 seconds, 1635 bytes.
> Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for mariansb:2004 in 
> 1.6 seconds, 11011 bytes.
> Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for mariansb:2004 in 
> 1.4 seconds, 2251 bytes.
> Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for mariansb:2004 in 
> 1.7 seconds, 11323 bytes.
> Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN
> Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for aries:2000 in 4.4 
> seconds, 20370 bytes.
> Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN
>
> I know this sounds the usual, but I didn't change or upgrade
> anything when it started.
>
>
> Any thoughts? How do I debug?

Recognize that you likely have two different "problems."

The clean simply means spamd correctly processed a message that was not
spam. The attempted login messages are some other item attempting to
break into your machine on the root account. I'd suspect an ssh based
attack.

{^_^}