Re: auth.log

To: debian-security@lists.debian.org
Subject: Re: auth.log
From: Colin Phipps <cph@netcraft.com>
Date: Wed, 20 Jun 2001 13:46:26 +0100
Message-id: <[🔎] 20010620134626.C5295@netcraft.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3B309987.9020305@info-motion.ch>
References: <[🔎] 3B309987.9020305@info-motion.ch>

On Wed, Jun 20, 2001 at 02:39:35PM +0200, Matthias Fritschi wrote:
> my linux knowledge comes more from the user/developer side of view, so im
> learning a lot at the moment to be able to set up our new webserver.
> today, i had the following two lines in auth.log, which scared me a bit:
> 
>  > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
>  > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)

That looks like a su from root _to_ nobody.

> could that mean somebody got into the server using a security leak in
> a process running as nobody?
> at this time, i was still sleepeing, and nobody else has access to the server
> yet... [...] cron [...] running on the machine at this moment.

nausea ~% grep 25 /etc/crontab
25 6    * * *   root    test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily

It's a cron job that does a su nobody before running something, do a
grep nobody /etc/cron.daily/* and it'll probably be there.

-- 
Colin Phipps         PGP 0x689E463E     http://www.netcraft.com/

Reply to:

Follow-Ups:
- Re: auth.log
  - From: Ethan Benson <erbenson@alaska.net>

References:
- auth.log
  - From: Matthias Fritschi <fritschi@info-motion.ch>

Prev by Date: auth.log
Next by Date: Re: auth.log
Previous by thread: auth.log
Next by thread: Re: auth.log
Index(es):
- Date
- Thread