I have set the apache user to have /sbin/nologin as his shell, but still he appears many times in the list of last logins (last command) - probably by someone who I surely didn't want to do so.
What am I missing here, what else can trigger an entry on the last logins list? Obviously he was able to login without a shell?!
Here are some of the entries, in case that helps.
root pts/0 xx Sat Feb 20 13:36 still logged in
apache pts/0 xx Fri Feb 19 01:20 - 01:20 (00:00)
apache pts/0 xx Mon Feb 15 08:57 - 08:57 (00:00)
apache pts/0 xx Wed Feb 10 22:23 - 22:23 (00:00)
root pts/0 xx Sun Feb 7 17:27 - 03:40 (10:13)
apache pts/0 xx Sat Feb 6 16:53 - 16:53 (00:00)
root pts/0 xx Tue Feb 2 18:39 - 18:53 (00:13)
root pts/0 xx Tue Feb 2 18:24 - 18:36 (00:12)
apache pts/0 xx Mon Feb 1 22:48 - 22:48 (00:00)
apache pts/0 xx Mon Feb 1 22:47 - 22:47 (00:00)
apache pts/0 xx Mon Feb 1 22:47 - 22:47 (00:00)
apache pts/0 xx Mon Feb 1 03:09 - 03:09 (00:00)
Also I have noticed that someone has tried a whole lot of other accounts (httpd, apache2, httpd2, httpdocs, etc...), which (of course) all failed. The list of failed logins is not long enough for a brute force though, so I'm wondering how he was able to enter in the end...
Thanks for any hints in advance
No comments:
Post a Comment