Re: auth.log
On Wed, Jun 20, 2001 at 02:39:35PM +0200, Matthias Fritschi wrote:
> my linux knowledge comes more from the user/developer side of view, so im
> learning a lot at the moment to be able to set up our new webserver.
> today, i had the following two lines in auth.log, which scared me a bit:
>
> > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
> > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)
That looks like a su from root _to_ nobody.
> could that mean somebody got into the server using a security leak in
> a process running as nobody?
> at this time, i was still sleepeing, and nobody else has access to the server
> yet... [...] cron [...] running on the machine at this moment.
nausea ~% grep 25 /etc/crontab
25 6 * * * root test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily
It's a cron job that does a su nobody before running something, do a
grep nobody /etc/cron.daily/* and it'll probably be there.
--
Colin Phipps PGP 0x689E463E http://www.netcraft.com/
Reply to:
- References:
- auth.log
- From: Matthias Fritschi <fritschi@info-motion.ch>