Re: auth.log

To: <debian-security@lists.debian.org>
Subject: Re: auth.log
From: Jakub Jankowski <shasta@quasimodo.olsztyn.tpsa.pl>
Date: Wed, 20 Jun 2001 14:47:03 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.33.0106201440230.11575-100000@quasimodo.olsztyn.tpsa.pl>
In-reply-to: <[🔎] 3B309987.9020305@info-motion.ch>

On 2001-06-20, Matthias Fritschi wrote:

> > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
> > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)
>
>could that mean somebody got into the server using a security leak in
>a process running as nobody? at this time, i was still sleepeing
[...]

 No. It means that some process running with root privileges switched
its uid to nobody's. There is some cron job executed at 6:25am
probably, this is the most common reason of 'automatic' su'ing from
root to nobody. Look for files containing string "25 6 *" somewhere
under /var. Their contents should explain you many things.

 I hope it'll help.

>matthias fritschi

 Jakub Jankowski

-- 
(0>  Jakub Jankowski  [url]: s.atn.pl   "Beauty is skin deep;
//\   shasta@IRCnet   [uin]: 70171776    ugly goes right
V_/_  shasta@irc.pl  [cell]: 502110186   to the bone."

Reply to:

References:
- auth.log
  - From: Matthias Fritschi <fritschi@info-motion.ch>

Prev by Date: Re: auth.log
Next by Date: Re: A question about Knark and modules
Previous by thread: Re: auth.log
Next by thread: AUP
Index(es):
- Date
- Thread