[gentoo-user] Had a peak in /var/log and there is a telnet dir

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] Had a peak in /var/log and there is a telnet dir
@ 2014-07-28 14:45 Andrew Lowe
  2014-07-28 14:54 ` Alan McKinnon
  0 siblings, 1 reply; 2+ messages in thread
From: Andrew Lowe @ 2014-07-28 14:45 UTC (permalink / raw
  To: gentoo-user

Hi all,
	I don't run telnet at all. I don't even have it installed on my machine
yet tonight I had a look in /var/lib to try and find a reason as to why
something else is failing and lo and behold there is a telnet dir.
Having a look inside shows:

******************

bluey telnet # pwd
/var/log/telnet
bluey telnet # ls -la
total 48
drwx------  2 root root 4096 Jul  2 14:58 .
drwxr-xr-x 15 root root 8192 Jul 28 22:03 ..
-rw-r--r--  1 root root  145 Jul  2 14:58 current
-rw-r--r--  1 root root  145 May  4 21:07 log-2014-05-12-11:22:05
-rw-r--r--  1 root root  372 May 12 19:22 log-2014-05-26-11:54:56
-rw-r--r--  1 root root  145 May 26 19:54 log-2014-06-13-04:25:41
-rw-r--r--  1 root root  145 Jun 13 12:25 log-2014-06-30-10:39:20
-rw-r--r--  1 root root  513 Jun 30 22:09 log-2014-07-02-06:58:34
-rw-r--r--  1 root root   11 Jul  2 14:58 .timestamp
bluey telnet #
bluey telnet # telnet
bash: telnet: command not found

******************

Looking inside one of these files reveals:

******************

bluey telnet # cat log-2014-05-26-11\:54\:56
May 12 19:22:05 [login] pam_unix(login:auth): authentication failure;
logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=root
May 12 19:22:07 [login] FAILED LOGIN (1) on '/dev/tty1' FOR 'root',
Authentication failure
May 12 19:22:15 [login] pam_unix(login:session): session opened for user
root by LOGIN(uid=0)
May 12 19:22:15 [login] ROOT LOGIN  on '/dev/tty1'

******************

Sorry for the bad wrapping, each new line starts with "May 12..."

	Does anyone have any ideas as to why there is a telnet dir with
something in it on my machine???? Does anyone know of another app that
might for some bizarre reason, create a telnet dir?????

	Any thoughts, greatly appreciated,

		Andrew



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [gentoo-user] Had a peak in /var/log and there is a telnet dir
  2014-07-28 14:45 [gentoo-user] Had a peak in /var/log and there is a telnet dir Andrew Lowe
@ 2014-07-28 14:54 ` Alan McKinnon
  0 siblings, 0 replies; 2+ messages in thread
From: Alan McKinnon @ 2014-07-28 14:54 UTC (permalink / raw
  To: gentoo-user

On 28/07/2014 16:45, Andrew Lowe wrote:
> Hi all,
> 	I don't run telnet at all. I don't even have it installed on my machine
> yet tonight I had a look in /var/lib to try and find a reason as to why
> something else is failing and lo and behold there is a telnet dir.
> Having a look inside shows:
> 
> ******************
> 
> bluey telnet # pwd
> /var/log/telnet
> bluey telnet # ls -la
> total 48
> drwx------  2 root root 4096 Jul  2 14:58 .
> drwxr-xr-x 15 root root 8192 Jul 28 22:03 ..
> -rw-r--r--  1 root root  145 Jul  2 14:58 current
> -rw-r--r--  1 root root  145 May  4 21:07 log-2014-05-12-11:22:05
> -rw-r--r--  1 root root  372 May 12 19:22 log-2014-05-26-11:54:56
> -rw-r--r--  1 root root  145 May 26 19:54 log-2014-06-13-04:25:41
> -rw-r--r--  1 root root  145 Jun 13 12:25 log-2014-06-30-10:39:20
> -rw-r--r--  1 root root  513 Jun 30 22:09 log-2014-07-02-06:58:34
> -rw-r--r--  1 root root   11 Jul  2 14:58 .timestamp
> bluey telnet #
> bluey telnet # telnet
> bash: telnet: command not found
> 
> ******************
> 
> Looking inside one of these files reveals:
> 
> ******************
> 
> bluey telnet # cat log-2014-05-26-11\:54\:56
> May 12 19:22:05 [login] pam_unix(login:auth): authentication failure;
> logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=root
> May 12 19:22:07 [login] FAILED LOGIN (1) on '/dev/tty1' FOR 'root',
> Authentication failure
> May 12 19:22:15 [login] pam_unix(login:session): session opened for user
> root by LOGIN(uid=0)
> May 12 19:22:15 [login] ROOT LOGIN  on '/dev/tty1'
> 
> ******************
> 
> Sorry for the bad wrapping, each new line starts with "May 12..."
> 
> 	Does anyone have any ideas as to why there is a telnet dir with
> something in it on my machine???? Does anyone know of another app that
> might for some bizarre reason, create a telnet dir?????
> 
> 	Any thoughts, greatly appreciated,
> 
> 		Andrew

Files in /var/log are usually created by syslog, and those have the
correct format for syslog entries and are using the tag "login". But
they are not telnet logins, they are console logins on /dev/tty1. This
all looks perfectly normal btw, the are just in a directory with an odd
name.

So, first thing is to check you syslogger's config and see if is
configured to add logs with the message "login" to a file in a directory
"telnet"[1]. Better, post your scrubbed config here

If that looks legit, check your logrotate config.

I wouldn't be assuming an intrusion here,it doesn't have the look or
feel of one. I'd be assuming a stoopid config :-)



-- 
Alan McKinnon
alan.mckinnon@gmail.com



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-07-28 14:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-28 14:45 [gentoo-user] Had a peak in /var/log and there is a telnet dir Andrew Lowe
2014-07-28 14:54 ` Alan McKinnon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox