Re: auth.log
On 2001-06-20, Matthias Fritschi wrote:
> > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
> > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0)
>
>could that mean somebody got into the server using a security leak in
>a process running as nobody? at this time, i was still sleepeing
[...]
No. It means that some process running with root privileges switched
its uid to nobody's. There is some cron job executed at 6:25am
probably, this is the most common reason of 'automatic' su'ing from
root to nobody. Look for files containing string "25 6 *" somewhere
under /var. Their contents should explain you many things.
I hope it'll help.
>matthias fritschi
Jakub Jankowski
--
(0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep;
//\ shasta@IRCnet [uin]: 70171776 ugly goes right
V_/_ shasta@irc.pl [cell]: 502110186 to the bone."
Reply to:
- References:
- auth.log
- From: Matthias Fritschi <fritschi@info-motion.ch>