I have been watching the log files for about a week and below is what I keep getting. I have also gotten BruteForce attempted on the logs and even had one ip address that tried to access using a correct username but password failed. I have limited experience with CentOS. This is a unmanaged dedicated server that I have now acquired responsibility for. Any help would be appreciated.
Sep 8 13:35:06 server pam_pwdfile[31624]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:35:08 server pam_pwdfile[31624]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:35:10 server pam_pwdfile[31624]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:39:49 server pam_pwdfile[32032]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:39:52 server pam_pwdfile[32032]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:39:54 server pam_pwdfile[32032]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:49:22 server pam_pwdfile[32722]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:49:24 server pam_pwdfile[32722]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:49:26 server pam_pwdfile[32722]: couldn't open password file /etc/tech proxy.shadow
Sep 8 13:57:12 server pam_pwdfile[838]: couldn't open password file /etc/techpr oxy.shadow
Active Hack
Re: Active Hack
Those log entries you quoted look more like a misconfiguration to me. Run grep -r proxy /etc/pam.d to see where that file is configured, and then examine that file to see if it matches what you would expect.
Re: Active Hack
Having the exact same issue. The contents of that file read:
auth sufficient pam_pwdfile.so pwdfile /etc/techproxy.shadow
session optional pam_hooks.so /usr/sec/bin/remove_techproxy_login
Does that mean anything to you?
-Andrew
auth sufficient pam_pwdfile.so pwdfile /etc/techproxy.shadow
session optional pam_hooks.so /usr/sec/bin/remove_techproxy_login
Does that mean anything to you?
-Andrew
Re: Active Hack
Those log messages and that pam entry look extremely suspicious to me. I see nothing that supplies either pam_hooks.so or any file with "techproxy" in its name. What is the output from file /usr/sec/bin/remove_techproxy_login ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Active Hack
While you're at it, please run rpm -qf /usr/sec/bin/remove_techproxy_login as well. I believe it says "file ... is not owned by any package", but I'd like to make sure.
Re: Active Hack
Are you guys perhaps hosted at the same company? If the initial installation of the operating system was done by some company and not by yourself, perhaps they left some sort of a backdoor which they can use to log in to your server if needed.