'su by nobody' - should I be worried?
Since a few days, Logcheck reports a lot of messages like this:
---------------------------------------------------------------------
Security Violations for su
=-=-=-=-=-=-=-=-=-=-=-=-=-
Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
nobody by (uid=0)
---------------------------------------------------------------------
I've had similar messages for various users for cron and sshd.
Should I be worried? The only way I can read this messages is that
user 'nobody' has done a 'su' - become root. I don't know what the
'pam_unix' part means.
So: does this mean my server has been compromised?
If not, what does it mean?
If so, how? How can I find the hole - or should I re-install
everything?
Thanks,
--
Matthijs
vanaalten@hotmail.com
Reply to: