Re: [Q] intrusion

To: debian-security@lists.debian.org
Subject: Re: [Q] intrusion
From: Michael Wuertz <wuertz@hrz.tu-darmstadt.de>
Date: Thu, 15 Jun 2000 17:02:12 +0200
Message-id: <[🔎] 00061517070104.10345@pc381>
In-reply-to: <[🔎] XFMail.20000615110012.pvlad@bigfoot.com>
References: <[🔎] XFMail.20000615110012.pvlad@bigfoot.com>

> PAM_UNIX[763]: (su) session opened for user www-data by (uid=0)
> su [821]: + ??? root-nobody
> 
> PAM_UNIX[821]: (su) session opened for user nobody by (uid=0) 

> anymore (I do assume that it is an intrusion attack,
> unless there is a much simpler explanation for this).

No intrusion. It's just the normal behaviour of (a) the web server
(httpd) and (b) many other daemons:
they change their uid to (a) www-data , (b) nobody in order
to make (possible) security holes less painful.


-- 
Michael Wuertz <wuertz@hrz.tu-darmstadt.de>      Tel: +49-6151-16-5812

* magic is real - unless declared integer *

Reply to:

References:
- [Q] intrusion
  - From: pvlad@bigfoot.com

Prev by Date: [Q] intrusion
Next by Date: Re: [Q] intrusion
Previous by thread: [Q] intrusion
Next by thread: Re: [Q] intrusion
Index(es):
- Date
- Thread