Re: 'su by nobody' - should I be worried?

To: debian-user@lists.debian.org
Subject: Re: 'su by nobody' - should I be worried?
From: p <pplaw@pcisys.net>
Date: Tue, 30 Mar 2004 22:37:15 +0000
Message-id: <[🔎] 20040330223714.GA6810@pcisys.net>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: p <pplaw@pcisys.net>
In-reply-to: <[🔎] 57nj609da2pb4kotulie06sk3qckvu9t63@4ax.com>
References: <[🔎] 57nj609da2pb4kotulie06sk3qckvu9t63@4ax.com>

On Tue, Mar 30, 2004 at 10:55:29PM +0200, Matthijs wrote:
> Since a few days, Logcheck reports a lot of messages like this:
> 
> ---------------------------------------------------------------------
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
> nobody by (uid=0)
> ---------------------------------------------------------------------
> 
> I've had similar messages for various users for cron and sshd.
> 
> Should I be worried? The only way I can read this messages is that
> user 'nobody' has done a 'su' - become root. I don't know what the
> 'pam_unix' part means.
> 
> So: does this mean my server has been compromised?
> If not, what does it mean?
> If so, how? How can I find the hole - or should I re-install
> everything?
> 
> Thanks,
> -- 
> Matthijs
> vanaalten@hotmail.com
> 
> 
>


//

http://lists.debian.org/debian-user/2003/debian-user-200303/msg00472.htm

kthxbye.

b.

//

Reply to:

References:
- 'su by nobody' - should I be worried?
  - From: Matthijs <vanaalten@hotmail.com>

Prev by Date: Re: 'su by nobody' - should I be worried?
Next by Date: Re: 'su by nobody' - should I be worried?
Previous by thread: Re: 'su by nobody' - should I be worried?
Next by thread: Re: 'su by nobody' - should I be worried?
Index(es):
- Date
- Thread