[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securite



Moi, pas le meme jour mais a peu pres la meme heure, je pense a un cron

sudo sudo fgrep -r "root-nobody" /var/log/*
...
/var/log/auth.log:Dec 22 06:25:13 mimosa su[12294]: + ??? root-nobody
/var/log/auth.log:Dec 23 06:25:14 mimosa su[24730]: + ??? root-nobody
/var/log/auth.log:Dec 24 06:25:17 mimosa su[5057]: + ??? root-nobody
/var/log/auth.log:Dec 25 06:25:13 mimosa su[16687]: + ??? root-nobody
...

Georges

baptiste Mille-Mathias wrote:

Charles Grellois wrote:

Bonnjour,
Ce matin j'ai trouvé un drôle de cadeau de noël dans mes log. N'etant
pas expert en securite j'aimerais avoir votre avis pour savoir si je
dois m'inquiéter. Ci-dessous les fichiers interresant qui valent mieux
qu'un long discours:
**auth.log:
Dec 25 06:25:01 homedebian PAM_unix[3729]: (cron) session opened for
user root by (uid=0)
Dec 25 06:25:02 homedebian su[3751]: + ??? root-nobody Dec 25 06:25:02 homedebian PAM_unix[3751]: (su) session opened for user
nobody by (uid=0)
Dec 25 06:27:05 homedebian PAM_unix[3729]: (cron) session closed for
user root



bizarre j'ai les memes evenements a la meme heure et au meme jour sur mon serveur

Dec 22 06:25:01 www su[19884]: + ??? root-nobody
Dec 22 06:25:01 www PAM_unix[19884]: (su) session opened for user nobody by (uid=0)
Dec 23 06:25:01 www su[22253]: + ??? root-nobody
Dec 23 06:25:01 www PAM_unix[22253]: (su) session opened for user nobody by (uid=0)
Dec 24 06:25:01 www su[24606]: + ??? root-nobody
Dec 24 06:25:01 www PAM_unix[24606]: (su) session opened for user nobody by (uid=0)
Dec 25 06:25:01 www su[26066]: + ??? root-nobody
Dec 25 06:25:01 www PAM_unix[26066]: (su) session opened for user nobody by (uid=0)






Reply to: