[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: `su to root' entry in syslog

On 15 Nov 1997, Ben Pfaff wrote:

> A user on my system caused a number of entries like this in the
> syslog:
> 	Nov 15 12:21:07 pfaffben su: (to root) eric on /dev/ttyp0
> However, the user says that he just uses `lynx' and `talk' (and I
> trust him to tell the truth about this).  What could cause a syslog
> entry like this?

Verify he's telling the truth.
1) change the root password, I don't care if it's random characters, crack
   isn't the only way to find a password.
2) check his history file: more ~eric/.bash_history (or the appropriate
    history file for his shell).
   Type "/ su" in more to see if it finds the command.
   If he's removed his history file, be suspicious.

Since these are all from his machine, maybe he's been hacked and doesn't
know it yet.

sudo and suid programs won't cause this log entry.  Another good idea may
be to move su to another location (su.orig), and place a script that sends
you an alarm and sleeps for a minute in it's place, e.g.:

ps auxf | mail -s "su attempt" pfaffben
sleep 1m

This lets you know that there's been an attempt, what processes were
running, user id, and what the parent process is, along with stalling the
user for a minute so you can catch him/her in the act if you are around.

For some more fun, add a kill $PPID after the sleep.  It should kill their
shell that they executed the command from.  Then you can see who logged
out around the appropriate time.


Brandon Mitchell <bhmit1@mail.wm.edu>   "We all know linux is great... it
PGP: finger -l bhmit1@cs.wm.edu          does infinite loops in 5 seconds"
Phone: (757) 221-4847                      --Linus Trovalds

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: