by I set up a Redhat 5.1 box as an experiment, intending to operate it
alongside my FreeBSD box. I haven't done much with it beyond some
performance testing. It doesn't carry any software other than the packages
provided with Redhat 5.1. I've never had a successful hack attempt with any
version of FreeBSD, however after being up a few days, this shows in
"laston -a -d" on the Redhat box.
cigna ttyp1 Sun Nov 15 11:50 - 11:56 (00:05)
boramae.desicom.co.kr
User "cigna" was not created by me, and doesn't show up in my password file.
The password file does however, carry a suspicious modification date.
Additionally, the message log shows the following:
(Note that genesis.newtoy.com is not one of my machines, and 205.164.44.73
is not the IP of www.newtoy.com, so I suspect that I'm being delivered
forged name service responses. I would hope that named is intelligent enough
to discard these?)
Nov 15 10:56:25 green named[294]: ns_resp: query(genesis.newtoy.com)
contains our address (NS1.NEWTOY.COM:205.164.44.73)
Nov 15 10:57:08 green identd[3007]: from: 205.161.105.205
( ffml.fanfic.com ) for: 4233, 8888
Nov 15 10:57:08 green identd[3007]: Successful lookup: 4233 , 8888 :
snowfox.root
Nov 15 11:19:37 green named[294]: ns_forw: query(www.newtoy.com) contains
our address (NS1.NEWTOY.COM:205.164.44.73)
Nov 15 11:40:30 green identd[3086]: Successful lookup: 5182 , 23 :
snowfox.root
Nov 15 11:48:07 green kernel: Appletalk 0.17 for Linux NET3.035
Nov 15 11:50:32 green PAM_pwdb[3104]: (login) session opened for user cigna
by (uid=0)
Nov 15 11:50:32 green login[3104]: LOGIN ON ttyp1 BY cigna FROM
boramae.desicom.co.kr
I'd appreciate any suggestions or explanations as to exactly what this
means.