failed xscreensaver login when x down?
Noticed a couple of strange things this morning when i flipped on my monitor, and I wonder if anyone can help me sort them out.
First of all, at the runlevel 3 login prompt, instead of seeing my normal blank hostname login: I saw this: hostname login: e100:eth0 NIC Link is Down e100: eth0 NIC Link is Up (speed) e100: eth0 NIC Link is Down e100: eth0 NIC Link is Up (speed) The link went down overnight as I slept (no time given in any log that I could find) and for some reason the information just output to the login prompt? Weird, but not terribly worrisome... yet. So I ran rkhunter. Everything looked fine until this: Checking loaded kernel mods Warning! (found difference in output) I did add a module recently, so that probably explains that. But then I checked my security log and saw the strangest thing ever: xscreensaver FAILED LOGIN at 2:32, when I was sound asleep and the machine was running at rl 3... Anybody have any idea what the xscreensaver login attempt is all about? |
Nobody has any idea about this xscreensaver failed login? Now I'm getting a little worried.
|
Unless someone was able to establish a remote X session, then the failed xscreensaver login had to be local. Check the output of last -i for login times that occurred overnight. What does the rkhunter logfile show as the module discrepency?
|
last -i doesn't show any unusual activity. rkhunter didn't give specific info about the mod, just that something had changed, and it probably had to do with some tinkering with mysql. When I ran rkhunter again today, it didn't show anything wrong. Pretty sure I inserted a new mod since last time I ran rkhunter. Not worried about it.
I don't think anybody could establish a remote xsession unless they could figure out a way to do it through... well, let's not give them any ideas. ;) But as long as we're on the subject of security. This morning at 4:17, I got an email from winvn@news.ksc.nasa.gov Subject: Hello,info,japanese girl VS playboy Message: Content-Type: application/octet-stream; name=jill stack@fastclick[1].txt Content-Transfer-Encoding: base64Content-ID: <ZwF6s9780575W39tY94>cGx1dG8KNzM2MzgzMzI4fDB8ZTE0YTI5MmEtM Tg5NC00YTUzLWE2ZmEtOTliM2IyMjk1YmM3fApmYXN0Y2xpY2submV0Lw oxMDI0CjM4OTcwNzIzODQKMjk4Mzg5MjEKNDA3NDg2NTgwOAoyOTcxMT k3NwoqCj== What the hell is that all about? |
I don't think anybody could establish a remote xsession unless they could figure out a way to do it through... well, let's not give them any ideas.
It's possible (but not likely) that someone could establish a remote desktop session by connecting to your local X server, but you should see a remote login. Plus if you are normally in runlevel three, then someone would first have to remotely log into the box using some other method, then fire up X and then establish the remote desktop session (all of which is pretty unlikely). What's odd is that a failed xscreensaver login should only be possible in a desktop session, but from everything you've described it doesn't seem possible. Might want to add an iptables rule logging any incoming or outgoing X traffic. What the hell is that all about? Given that all I get in my inbox anymore is pr0n spam or a virus, I'd say it's one of those (Actually it's klez). |
All times are GMT -5. The time now is 11:01 AM. |