[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: auth.log

On Wed, Jun 20, 2001 at 02:39:35PM +0200, Matthias Fritschi wrote:
> my linux knowledge comes more from the user/developer side of view, so im
> learning a lot at the moment to be able to set up our new webserver.
> today, i had the following two lines in auth.log, which scared me a bit:
>  > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
>  > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)

That looks like a su from root _to_ nobody.

> could that mean somebody got into the server using a security leak in
> a process running as nobody?
> at this time, i was still sleepeing, and nobody else has access to the server
> yet... [...] cron [...] running on the machine at this moment.

nausea ~% grep 25 /etc/crontab
25 6    * * *   root    test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily

It's a cron job that does a su nobody before running something, do a
grep nobody /etc/cron.daily/* and it'll probably be there.

Colin Phipps         PGP 0x689E463E     http://www.netcraft.com/

Reply to: