From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Had a peak in /var/log and there is a telnet dir
Date: Mon, 28 Jul 2014 16:54:04 +0200 [thread overview]
Message-ID: <53D6640C.5040206@gmail.com> (raw)
In-Reply-To: <53D661FE.7050006@wht.com.au>
On 28/07/2014 16:45, Andrew Lowe wrote:
> Hi all,
> I don't run telnet at all. I don't even have it installed on my machine
> yet tonight I had a look in /var/lib to try and find a reason as to why
> something else is failing and lo and behold there is a telnet dir.
> Having a look inside shows:
>
> ******************
>
> bluey telnet # pwd
> /var/log/telnet
> bluey telnet # ls -la
> total 48
> drwx------ 2 root root 4096 Jul 2 14:58 .
> drwxr-xr-x 15 root root 8192 Jul 28 22:03 ..
> -rw-r--r-- 1 root root 145 Jul 2 14:58 current
> -rw-r--r-- 1 root root 145 May 4 21:07 log-2014-05-12-11:22:05
> -rw-r--r-- 1 root root 372 May 12 19:22 log-2014-05-26-11:54:56
> -rw-r--r-- 1 root root 145 May 26 19:54 log-2014-06-13-04:25:41
> -rw-r--r-- 1 root root 145 Jun 13 12:25 log-2014-06-30-10:39:20
> -rw-r--r-- 1 root root 513 Jun 30 22:09 log-2014-07-02-06:58:34
> -rw-r--r-- 1 root root 11 Jul 2 14:58 .timestamp
> bluey telnet #
> bluey telnet # telnet
> bash: telnet: command not found
>
> ******************
>
> Looking inside one of these files reveals:
>
> ******************
>
> bluey telnet # cat log-2014-05-26-11\:54\:56
> May 12 19:22:05 [login] pam_unix(login:auth): authentication failure;
> logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root
> May 12 19:22:07 [login] FAILED LOGIN (1) on '/dev/tty1' FOR 'root',
> Authentication failure
> May 12 19:22:15 [login] pam_unix(login:session): session opened for user
> root by LOGIN(uid=0)
> May 12 19:22:15 [login] ROOT LOGIN on '/dev/tty1'
>
> ******************
>
> Sorry for the bad wrapping, each new line starts with "May 12..."
>
> Does anyone have any ideas as to why there is a telnet dir with
> something in it on my machine???? Does anyone know of another app that
> might for some bizarre reason, create a telnet dir?????
>
> Any thoughts, greatly appreciated,
>
> Andrew
Files in /var/log are usually created by syslog, and those have the
correct format for syslog entries and are using the tag "login". But
they are not telnet logins, they are console logins on /dev/tty1. This
all looks perfectly normal btw, the are just in a directory with an odd
name.
So, first thing is to check you syslogger's config and see if is
configured to add logs with the message "login" to a file in a directory
"telnet"[1]. Better, post your scrubbed config here
If that looks legit, check your logrotate config.
I wouldn't be assuming an intrusion here,it doesn't have the look or
feel of one. I'd be assuming a stoopid config :-)
--
Alan McKinnon
alan.mckinnon@gmail.com
prev parent reply other threads:[~2014-07-28 14:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-28 14:45 [gentoo-user] Had a peak in /var/log and there is a telnet dir Andrew Lowe
2014-07-28 14:54 ` Alan McKinnon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D6640C.5040206@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox