Re: 'su by nobody' - should I be worried?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 30 Mar 2004 22:55:29 +0200
Matthijs <vanaalten@hotmail.com> wrote:
> Since a few days, Logcheck reports a lot of messages like this:
>
> ---------------------------------------------------------------------
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
> nobody by (uid=0)
> ---------------------------------------------------------------------
>
> I've had similar messages for various users for cron and sshd.
>
> Should I be worried? The only way I can read this messages is that
> user 'nobody' has done a 'su' - become root. I don't know what the
> 'pam_unix' part means.
>
> So: does this mean my server has been compromised?
> If not, what does it mean?
> If so, how? How can I find the hole - or should I re-install
> everything?
>
> Thanks,
> --
> Matthijs
> vanaalten@hotmail.com
PAM_unix is your authentication daemon. I believe that you will see that
entry as the last for that days log and the first for the next day will be
"(pam_unix) session closed for user nobody by (uid=0)". This is the
logrotate program, running as nobody and then becoming root to manipulate
your logs.
The rest of the entries will show different applications running in CRON
or users starting a SSH session. As long as you recognize those SSH users
or CRON jobs you should be fine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAafYwuLPldPuWZnARAljmAKC0kzXUVgPABCgNAy2ZfRZN9mQRqgCgnwcz
zxYrsClL1t6v/+20pLY6+GA=
=0sh3
-----END PGP SIGNATURE-----
Reply to: