Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: login consol to foreign ip
Special Forums Cybersecurity login consol to foreign ip Post 302439878 by unSpawn on Saturday 24th of July 2010 12:04:44 PM
Old 07-24-2010
Quote:
Originally Posted by SimonSalman
every time, root (or any other user) logs into the system (Suse 9.3 Linux mail server) a connection to a foreign ip (96.124.236.183) shows up. It shows up even when I plug out the network cable and then restart the system.
The second column is the type of terminal: tty for physical console, pts for pseudo-ttys and colon+integer notation you may remember from dealing with X11/Xorg. So these lines would signify not a connection to but from that system to the first X session on your mail server (aka the perceived "victim") as root account user.


Quote:
Originally Posted by SimonSalman
I really would like to understand why this ip address appears at each log in. And further how much of a security issue this might be.
- First of all (IIGC) SUSE Linux 9.3 reached EOL in the second quarter of 2007. Running a deprecated, no longer maintained and possibly vulnerable distribution release is bad (and that's an understatement).
- Secondly why a mail server should be running X11/Xorg anyway AND without any denying root logins over the network is beyond me.
- While there may be a chance there is a bug in your version of 'last' (I vaguely remember one in the RH version) I hope that, given the apparent speed this forum moves at, you did not wait but at least 0) used the firewall to deny access to the machine if this IP address does not have any business with your machine and 1) changed all passwords and 2) shut down X Windows?
- Does the IP address show up in other system or daemon logs? If so, how far back?
- Does your mail server actually run X Windows?
- Have you done any fact finding already like verifying integrity of the machine, examining configuration of network-reachable services, checking user accounts and examining system and daemon log files?

If you haven't done anything yet then it would be beneficial to consider the machine off-limits for the duration of your investigation (for all users) and to read the backup copy of the CERT/CC Intruder Detection Checklist before doing anything else. If you're ready to answer questions please be as verbose as possible.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Foreign characters in bash

Hello, I'm trying to type in foreign characters (á, é, í, ñ...) from the bash when doing a Telnet to my UNIX account. So far it only allows me to type in the standard character set (up to ASCII 128). I need this to feed parameters to certains scripts and programs. Thanks! Miguel (4 Replies)
Discussion started by: czerny
4 Replies

2. UNIX for Advanced & Expert Users

foreign characters

I have a flat file and have foreign characters in three fields. Can somebody tell me how to get rid of these special characters? It's very urgent because without this my process is failing. Thanks in advance. Angielina (1 Reply)
Discussion started by: angelina
1 Replies

3. Shell Programming and Scripting

foreign characters

I have a flat file and have foreign characters in three fields. Can somebody tell me how to get rid of these special characters? It's very urgent because without this my process is failing. Thanks in advance. Angielina (2 Replies)
Discussion started by: angelina
2 Replies

4. UNIX for Advanced & Expert Users

foreign characters in flat file

Hey, Is there anyway I anks, Pocha (12 Replies)
Discussion started by: pochaman
12 Replies

5. Shell Programming and Scripting

regular expression foreign language

Hello all, I read somewher that regular expressions work with ASCII table so when i type grep "*" file_name it uses values from ACII dec97(a) to dec122(z), right ? But if I have file containing diacritics, lets say (ordinary Slovak language characters): marek@cepi:~$ cat diakritika ... (9 Replies)
Discussion started by: wakatana
9 Replies

6. HP-UX

Connection closed by foreign host

I am trying to connect to my HP server from remote machine. It gets connected but once credential are provided the connection is closed. adroit:/home/seo/hitendra 32 ] telnet myserv1 Trying... Connected to myserv1. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED... (4 Replies)
Discussion started by: hiten.r.chauhan
4 Replies

7. Shell Programming and Scripting

Day of the week or Month in a foreign language

Hey guys, i'm a very new shell script user. I've been looking everywhere for a proper script to display the day of the week or the month, accurately, in a foreign language of my choosing. Something where i can just type in the appropriate word in a foreign language in the script and get the... (2 Replies)
Discussion started by: ibizagreg
2 Replies

8. UNIX for Advanced & Expert Users

What is the foreign address?

hi i want to open port 9100 and the connect server could not to connect to my application this my results of netstat tulpn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:9100 ... (3 Replies)
Discussion started by: mohammad alshar
3 Replies

9. IP Networking

netstat local and foreign address relationship.

Hi All, Can you please help me in understanding the relationship between local and foreign address in the output of netstat -an. Output 1 ---------- 162.103.162.37.50224 162.103.162.35.9511 49640 0 49640 0 ESTABLISHED 162.103.162.37.50263 162.103.162.35.9512 49640 0... (1 Reply)
Discussion started by: Girish19
1 Replies

10. UNIX for Advanced & Expert Users

Foreign Key in UNIX File System

Hi, Do we have Foreign Key concept in File system like UNIX, as we have in DBMS?? If yes, Can you please tell me how it is implemented in File System? Thanks & Regards, Archana (2 Replies)
Discussion started by: Archana Batta
2 Replies

LEARN ABOUT CENTOS

pam_console

pam_console(8)						   System Administrator's Manual					    pam_console(8)

NAME

       pam_console - determine user owning the system console

SYNOPSIS

       session optional pam_console.so
       auth required pam_console.so

DESCRIPTION

       pam_console.so  is  designed to give users at the physical console (virtual terminals and local xdm-managed X sessions by default, but that
       is configurable) capabilities that they would not otherwise have, and to take those capabilities away when the are no longer logged  in	at
       the console.  It provides two main kinds of capabilities: file permissions and authentication.

       When a user logs in at the console and no other user is currently logged in at the console, pam_console.so will run handler programs speci-
       fied in the file /etc/security/console.handlers such as pam_console_apply which changes permissions and ownership of files as described	in
       the file /etc/security/console.perms.  That user may then log in on other terminals that are considered part of the console, and as long as
       the user is still logged in at any one of those terminals, that user will own those devices.  When the user logs out of the last  terminal,
       the console may be taken by the next user to log in.  Other users who have logged in at the console during the time that the first user was
       logged in will not be given ownership of the devices unless they log in on one of the terminals; having done so on any  one  terminal,  the
       next  user will own those devices until he or she has logged out of every terminal that is part of the physical console.  Then the race can
       start for the next user.  In practice, this is not a problem; the physical console is not generally in use by many people at the same time,
       and pam_console.so just tries to do the right thing in weird cases.

       When  an  application  attempts	to  authenticate the user and this user is already logged in at the console, pam_console.so checks whether
       there is a file in /etc/security/console.apps/ directory with the same name as the application servicename, and	if  such  a  file  exists,
       authentication  succeeds.  This	way pam_console may be utilized to run some system applications (reboots, config tools) without root pass-
       word, or to enter user password on the first system login only.

ARGUMENTS

       debug  turns on debugging

       allow_nonroot_tty
	      gain console locks and change permissions even if the TTY's owner is not root.

       handlersfile=filename
	      tells pam_console.so to get the list of the handlers from a different file than /etc/security/console.handlers

EXAMPLE

       /etc/pam.d/some-system-tool:
       auth sufficient pam_rootok.so
       auth required pam_console.so

       /etc/pam.d/some-login-service:
       auth sufficient pam_console.so
       auth required pam_unix.so
       session required pam_unix.so
       session optional pam_console.so

FILES

       /var/run/console/
       /var/run/console/console.lock
       /etc/security/console.apps
       /etc/security/console.handlers

SECURITY NOTES

       When pam_console "auth" is used for login services which provide possibility of remote login, it is necessary to make sure the  application
       correctly sets PAM_RHOST variable, or to deny remote logins completely.	Currently, /bin/login (invoked from telnetd) and gdm is OK, others
       may be not.

SEE ALSO

       console.perms(5)
       console.apps(5)
       console.handlers(5)
       pam_console_apply(8)
       /usr/share/doc/pam*/html/index.html

BUGS

       Let's hope not, but if you find any, please report them via the "Bug Track" link at http://bugzilla.redhat.com/bugzilla/

AUTHORS

       Michael K. Johnson <johnsonm@redhat.com>
       Support of console.handlers and other improvements by Tomas Mraz <tmraz@redhat.com>

Red Hat 							     2005/10/4							    pam_console(8)
All times are GMT -4. The time now is 09:33 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy