Security Incidents mailing list archives
Re: Strange logs and scans.
From: reb () OPENRECORDS ORG (* *)
Date: Fri, 19 May 2000 05:55:17 -0500
I have also seen these in my logs, and this is probably a skript kiddie. check_pass is a login trojan for Solaris. It is pre-compiled so the login can't be changed by 'hackers' after they compromise a box. They then install the login trojan. Someone looking for this trojan would simply need to try to login, if a password is needed they move on. If anyone has more information on 'check pass' rather than 'check_pass' I would be interested. Reb On Wed, 17 May 2000, Lic. Rodolfo Gonzalez Gonzalez wrote:
Hi, just got this log in one of my RedHat 6.2 boxes: May 3 18:56:37 equinoxe PAM_pwdb[21654]: check pass; user unknown May 3 18:56:38 equinoxe gdm[21654]: Couldn't authenticate with jkikjeans May 3 18:56:41 equinoxe gdm[21654]: Couldn't authenticate I wonder, is it an exploit?. Then I got a scan to port 513 (TCP), coming from a "trusted" machine. And a new scan: May 16 10:10:14 equinoxe abacus_sentry[711]: attackalert: UDP scan from host: 169.254.210.20/169.254.210.20 to UDP port: 67 Anyway, scans are so common, but the first message seems strange to me. Regards, Rodolfo.
Current thread:
- Re: Korea a classic ? was: IP blacklist Doglus Cho (May 15)
- Re: Korea a classic ? was: IP blacklist Jens Hektor (May 16)
- Re: Korea a classic ? was: IP blacklist Russell Fulton (May 16)
- Re: Korea a classic ? was: IP blacklist Jane DelFavero (May 18)
- Re: Korea a classic ? was: IP blacklist Russell Fulton (May 16)
- Strange logs and scans. Lic. Rodolfo Gonzalez Gonzalez (May 17)
- Re: Strange logs and scans. * * (May 19)
- While we're on viruses... Keith McCammon (May 19)
- <Possible follow-ups>
- Re: Korea a classic ? was: IP blacklist Doglus Cho (May 16)
- Re: Korea a classic ? was: IP blacklist Cho, Douglas (May 17)
- Re: Korea a classic ? was: IP blacklist Jens Hektor (May 16)