[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Have I been hacked ?

Subject: RE: [cobalt-users] Have I been hacked ?
From: Rodolfo Paiz <rpaiz@xxxxxxxxxxxxxx>
Date: Mon Feb 19 19:35:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> and in my messages logfile, I have the following
>
> Feb 17 13:15:10 raq3 useradd[5442]: new group: name=named, gid=25
> Feb 17 13:15:10 raq3 useradd[5442]: new user: name=named,
> uid=25, gid=25,
> home=/var/named, shell=/bin/false
> Feb 17 13:15:22 raq3 in.qpopper[7038]:
> Active_Monitor_69@localhost: -ERR POP
> EOF received
> Feb 17 13:15:22 raq3 telnetd[7041]: ttloop:  read: Broken pipe
> Feb 17 13:16:57 raq3 named[24405]: reloading nameserver
> Feb 17 13:16:57 raq3 named[24405]: Forwarding source address

Gilles,

I am not sure about this, but I ***THINK***...

...that the BIND upgrade (did you recently install this?) creates a new
'named' user so that the bind daemon will no longer run as root. This
user's home directory would logically be /var/named and would logically
not have shell access, which is what's reflected in your logs.

I *guess* that if you upgraded BIND, these are expected messages. No
clue why your POP3 daemon quit, though...

HTH,

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>

References:
- [cobalt-users] Have I been hacked ?
  - From: Gilles Dumangin

Prev by Date: RE: [2] [cobalt-users] Cobalt to provide compensation for server hack?
Next by Date: RE: [cobalt-users] Lost mail
Previous by thread: [cobalt-users] Have I been hacked ?
Next by thread: [cobalt-users] RaQ4 hack or other weirdness? Help?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index