[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

could you help interpret my logs?



Well I know someone was trying to gain access to my FC 2 server:

sshd:
   Authentication Failures:
      root (209.67.215.146): 59 Time(s)
      adm (209.67.215.146): 2 Time(s)
      apache (209.67.215.146): 1 Time(s)
      cyrus (209.67.215.146): 1 Time(s)
      matt (209.67.215.146): 1 Time(s)
      mysql (209.67.215.146): 1 Time(s)
      nobody (209.67.215.146): 1 Time(s)
      operator (209.67.215.146): 1 Time(s)
   Invalid Users:
      Unknown Account: 40 Time(s)
   Unknown Entries:
      authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=209.67.215.146 : 40 Time(s)

su:
   Sessions Opened:
      (uid=0) -> julian: 2 Time(s)
      (uid=0) -> cyrus: 1 Time(s)
      (uid=0) -> news: 1 Time(s)
      julian(uid=500) -> root: 1 Time(s)

It also looks like the attacker was successful in logging in as cyrus
and news.  Is this possible?  Could this be potentially damaging to my
system?  Or is this something normal which I am overlooking?

----

Second question about my log are the following entries:

dovecot-auth: pam_succeed_if: requirement "uid < 100" not met by user
"julian"
dovecot-auth: pam_succeed_if: requirement "uid < 100" not met by user
"julian"
dovecot-auth: pam_succeed_if: requirement "uid < 100" not met by user
"julian"
dovecot-auth: pam_succeed_if: requirement "uid < 100" not met by user
"mailings"

I get about 50 of these daily, how can I make them go away?


Thanks,

Julian






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]