Re: `su to root' entry in syslog
On 15 Nov 1997, Ben Pfaff wrote:
> A user on my system caused a number of entries like this in the
> syslog:
>
> Nov 15 12:21:07 pfaffben su: (to root) eric on /dev/ttyp0
>
> However, the user says that he just uses `lynx' and `talk' (and I
> trust him to tell the truth about this). What could cause a syslog
> entry like this?
Verify he's telling the truth.
1) change the root password, I don't care if it's random characters, crack
isn't the only way to find a password.
2) check his history file: more ~eric/.bash_history (or the appropriate
history file for his shell).
Type "/ su" in more to see if it finds the command.
If he's removed his history file, be suspicious.
Since these are all from his machine, maybe he's been hacked and doesn't
know it yet.
sudo and suid programs won't cause this log entry. Another good idea may
be to move su to another location (su.orig), and place a script that sends
you an alarm and sleeps for a minute in it's place, e.g.:
#!/bin/sh
ps auxf | mail -s "su attempt" pfaffben
sleep 1m
This lets you know that there's been an attempt, what processes were
running, user id, and what the parent process is, along with stalling the
user for a minute so you can catch him/her in the act if you are around.
For some more fun, add a kill $PPID after the sleep. It should kill their
shell that they executed the command from. Then you can see who logged
out around the appropriate time.
Enjoy,
Brandon
-----
Brandon Mitchell <bhmit1@mail.wm.edu> "We all know linux is great... it
PGP: finger -l bhmit1@cs.wm.edu does infinite loops in 5 seconds"
Phone: (757) 221-4847 --Linus Trovalds
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: