'su by nobody' - should I be worried?

To: debian-user@lists.debian.org
Subject: 'su by nobody' - should I be worried?
From: Matthijs <vanaalten@hotmail.com>
Date: Tue, 30 Mar 2004 22:55:29 +0200
Message-id: <[🔎] 57nj609da2pb4kotulie06sk3qckvu9t63@4ax.com>

Since a few days, Logcheck reports a lot of messages like this:

---------------------------------------------------------------------
Security Violations for su
=-=-=-=-=-=-=-=-=-=-=-=-=-
Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
nobody by (uid=0)
---------------------------------------------------------------------

I've had similar messages for various users for cron and sshd.

Should I be worried? The only way I can read this messages is that
user 'nobody' has done a 'su' - become root. I don't know what the
'pam_unix' part means.

So: does this mean my server has been compromised?
If not, what does it mean?
If so, how? How can I find the hole - or should I re-install
everything?

Thanks,
-- 
Matthijs
vanaalten@hotmail.com

Reply to:

Follow-Ups:
- Re: 'su by nobody' - should I be worried?
  - From: Martin Dickopp <martin-deb@zero-based.org>
- Re: 'su by nobody' - should I be worried?
  - From: p <pplaw@pcisys.net>
- Re: 'su by nobody' - should I be worried?
  - From: Bill Thompson <Billt@Mahagonny.com>
- Re: 'su by nobody' - should I be worried?
  - From: p <pplaw@pcisys.net>

Prev by Date: Re: "EMU10K1/Audigy soundcard not found or device busy"
Next by Date: Re: startup options
Previous by thread: Re: Upgrading 2.4 to 2.6 kernel problems
Next by thread: Re: 'su by nobody' - should I be worried?
Index(es):
- Date
- Thread