auth.log

To: debian-security@lists.debian.org
Subject: auth.log
From: Matthias Fritschi <fritschi@info-motion.ch>
Date: Wed, 20 Jun 2001 14:39:35 +0200
Message-id: <[🔎] 3B309987.9020305@info-motion.ch>

hi,

my linux knowledge comes more from the user/developer side of view, so im
learning a lot at the moment to be able to set up our new webserver.
today, i had the following two lines in auth.log, which scared me a bit:

> Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
> Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)

could that mean somebody got into the server using a security leak in
a process running as nobody? at this time, i was still sleepeing, and
nobody else has access to the server yet... apache, proftpd (only for
the setup in the beginning), mysql, cron, atd, exim and sshd were
running on the machine at this moment.

the server is running since yesterday, and i got all those packages
with dselect from the debian server. so they should be fairly new...

cu,
matthias fritschi

Reply to:

Follow-Ups:
- Re: auth.log
  - From: Colin Phipps <cph@netcraft.com>
- Re: auth.log
  - From: Jakub Jankowski <shasta@quasimodo.olsztyn.tpsa.pl>

Prev by Date: Re: gnupg problem
Next by Date: Re: auth.log
Previous by thread: Re: My logs are full!!
Next by thread: Re: auth.log
Index(es):
- Date
- Thread