Re: Strange 'su' error messages
On Thursday, January 15, 2004 5:17 PM [GMT+1=CET],
Barak Korren <ifireball@ifireball.dyndns.org> wrote:
> Ian Brayshaw wrote:
>
>> On Tuesday 13 January 2004 9:29 am, Christian Schuerer wrote:
>>
>>
>>> Since updating my debian server yesterday I get the following error
>>> messages every hour (generated by logcheck):
>>>
>>> Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody
>>>
>>>
>>
>> I now get similar messages in my logs after a recent upgrade of
>> AIDE.
>>
>> .ib
>>
>>
>>
>>
> I got those too:
>
> Jan 15 06:25:03 ifireball su[21163]: + ??? root:nobody
>
>
> However, I do not have AIDE installed, and greping for "su" in
> /etc/cron/daily produced
> nothing meaningful.
> also, chkrootkit reports process hidden from ps, but /proc/*/status
> reports them to be
> ksoftirq_CPU0, kswapd, bdflush and kupdated which seems to be legit
> (no doubles)
>
Yes, 'su' isn't called in the cron files, it's used to run the commands in
the cron files as the specified user.
So for example, my /etc/cron.d/mrtg contains:
0-55/5 * * * * root if [ -x /usr/bin/mrtg ] && [ -r
/etc/mrtg.cfg ]; then /usr/bin/mrtg /etc/mrtg.cfg
>> /var/log/mrtg/mrtg.log; fi
so basically, it runs mrtg as user 'root' every 5 minutes. Thus, you'll see
an entry like you posted, to indicate that su has been used to become root
and execute the mrtg command.
Regards,
Teun
Reply to: