Yup, Steven Thompson wrote:
Hi All
Feb 14 11:37:30 bobedb01 login(pam_unix)[1010]: check pass; user unknown Feb 14 11:37:30 bobedb01 login(pam_unix)[1010]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= Feb 14 11:37:32 bobedb01 login[1010]: FAILED LOGIN 1 FROM (null) FOR control, Authentication failure Feb 14 11:37:51 bobedb01 login(pam_unix)[1010]: check pass; user unknown Feb 14 11:37:53 bobedb01 login[1010]: FAILED LOGIN 2 FROM (null) FOR control, Authentication failure
this is a PAM error message, which says that someone repeatedly tried to login to the non-existant account "control" on console tty1. Since you haven't stated more details about your setup, machine type (server, client) and your network, it's hard to tell wether this is something to worry about. The OpenSSH UseLogin vuln needs a local account to work, because an attacker would have to make some changes to his/her environment in order to preload a hacked library while a ssh connection is initiated. Obviously, the UseLogin directive must be specified in the sshd conf of the victim server. Now, yes, someone could have tried to find a "blind" account on your machine, login to it and exploit the vuln if your OpenSSH installation is < v3.0.2 and/or UseLogin is enabled, but he/she could do dozens of other nasty things as well once logged in, so this is just a shot in the dark; it could have been a simple user error as well.
Thanks in Advance
Steven
Boris Lorenz