[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RE: RAQ3 check pass; user unknown - Again
- Subject: Re: [cobalt-users] RE: RAQ3 check pass; user unknown - Again
- From: flash22@xxxxxxx
- Date: Wed Nov 7 23:31:11 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Thu, 8 Nov 2001, Render-Vue wrote:
> Sqlcoders.com Programming Dept replied...
>
> >>just a thought for what's its worth, if its someone checking their stats,
> I'd assume they'll email you soon enough for the right pwd.
>
> might help cut out some of the unlikely possibilities, or I might be wrong
> and mudding the waters LOL<<
>
> Yes, I know but remember sometimes users won't because they get embarrassed
> if they think they are doing something wrong.
>
> I personally don't think it is and I'm now a bit concerned as it's starting
> to happen a bit regular now.
>
> I have chkrootkit on and nothing is showing up there, portsentry noit
> showing anything, logs show nothing, there's no disk space being
> mysteriously used up and the box is seemingly working okay.
In any case, the error logs for apache WILL show access failures for
password protected pages, the admin logs will show them for the admin
areas....
There is a logging module for pam, but it's not installed by default,
dunno how hard it would be to stick in, messing with PAm is horribly
dangerous unless the machine is sitting next to you ;)
Do you have any cgi's that might be trying to do their own
authentication? That message is from pam_pwdb, which handles also, the
default requests for login/passwords (eg, non service specific)
ssh?
Also, the timestamps in your log are interesting, they have a regular
pattern....
gsh