[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]



my linux knowledge comes more from the user/developer side of view, so im
learning a lot at the moment to be able to set up our new webserver.
today, i had the following two lines in auth.log, which scared me a bit:

> Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
> Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)

could that mean somebody got into the server using a security leak in
a process running as nobody? at this time, i was still sleepeing, and
nobody else has access to the server yet... apache, proftpd (only for
the setup in the beginning), mysql, cron, atd, exim and sshd were
running on the machine at this moment.

the server is running since yesterday, and i got all those packages
with dselect from the debian server. so they should be fairly new...

matthias fritschi

Reply to: