On Tue, Jan 04, 2005 at 10:06:39AM -0500, Bill Moran probably wrote: > > Over the holiday I replaced a server that appeared to have been cracked. > Basically built a replacement with the same services in a sandbox, then > swapped it with the old one. > > The new server seems to be secure, as we're not seeing the spam coming > off it that the old one was generating, however, I'm seeing a lot of > messages in the log files. For example: > > Jan 4 07:15:13 mail su: _secure_path: cannot stat > /usr/sbin/nologin/.login_conf: Not a directory
It looks like `/usr/sbin/nologin/' is someone's ``home directory'' and that someone is trying to su. /usr/sbin/nologin can't be a home directory, it must be the shell for some user who isn't supposed to log in. /nonexistent should be the home directory. It looks possible that your password file specifies /usr/sbin/nologin as a home directory and a valid shell for some system user. Maybe you omitted or added an extra `:'? Just a guess, -- DoubleF Dealing with failure is easy: work hard to improve. Success is also easy to handle: you've solved the wrong problem. Work hard to improve.
pgpl3NNJnkPkX.pgp
Description: PGP signature
