[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

pam problem

I am getting many, many entries in auth.log like these:

> /var/log/auth.log:May 17 13:31:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost= 
> /var/log/auth.log:May 17 13:31:20 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost= 
> /var/log/auth.log:May 18 03:39:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=jkhhlkjh rhost= 
> /var/log/auth.log:May 18 03:39:23 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=jkhhlkjh rhost= 
> /var/log/auth.log:May 18 03:40:01 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lkjklhui rhost= 
> /var/log/auth.log:May 18 03:40:08 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lkjklhui rhost= 
> /var/log/auth.log:May 18 03:40:14 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lkjklhui rhost=  
> /var/log/auth.log:May 18 09:14:57 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=anonymous rhost= 
> /var/log/auth.log:May 18 09:15:01 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=anonymous rhost= 

Over on SDLU, I was told the empty "rhost=" looks like there is a Trojan using a 
socket on my email host. I knew nothing about sockets -- not much more now. Can 
anyone tell me how to find it and squash it?

I've never seen anything like this. It's not happening very fast, and I've made 
sure the usernames and passwords are good, so statistically, it's going to take 
quite a while to get in. But it might get lucky, so I'd like to deal with it. 

I've looked with netstat, and I don't see anything suspicious. It occurs to me that it 
might be a program that runs every so often, and very quickly, so it doesn't show up 
in random "ps" or "top" checks.

The only thing I can think of to do is reinstall. I know that's sometimes the correct 
thing to do, but that's so Windows :-) Any advice will be greatly appreciated...

BTW, Please feel free to reply to me personally; my Postfix configuration sometimes considers 
bendel.debian.org to be a spammer (it doesn't find a domain for the IP).

Oh. And I'm still on lenny, so reinstalling doesn't seem like too bad an idea...

-- 
Glenn English
hand-wrapped from my Apple Mail
Reply to: