Re: 'su by nobody' - should I be worried?

To: debian-user@lists.debian.org
Subject: Re: 'su by nobody' - should I be worried?
From: Matthijs <vanaalten@hotmail.com>
Date: Thu, 01 Apr 2004 23:15:29 +0200
Message-id: <[🔎] 1g1p60dsaqmji899vk02n2gtjfj16g9p5b@4ax.com>
References: <57nj609da2pb4kotulie06sk3qckvu9t63@4ax.com> <cun65cm0xvp.fsf@zero-based.org>

On Wed, 31 Mar 2004 00:40:19 +0200, Martin Dickopp
<martin-deb@zero-based.org> wrote:

> Matthijs <vanaalten@hotmail.com> writes:
> 
> > Since a few days, Logcheck reports a lot of messages like this:
> >
> > ---------------------------------------------------------------------
> > Security Violations for su
> > =-=-=-=-=-=-=-=-=-=-=-=-=-
> > Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
> > nobody by (uid=0)
> > ---------------------------------------------------------------------
> >
> > The only way I can read this messages is that user 'nobody' has done a
> > 'su' - become root.
> 
> No, it's the other way around: 'root' has used 'su' to become 'nobody'.
> This is probably part of a script (run by a cronjob?).

Ah, I interpreted the word 'for' in the report incorrectly! Indeed a
cronjob, something that is executed precisely at 06:25.

I sleep much better now - thanks!
-- 
Matthijs
vanaalten@hotmail.com

Reply to:

Prev by Date: Re: Exim & squirrelmail
Next by Date: Stumped with a Posix/Perl Question
Previous by thread: Re: Re: W32.HLLW.Gaobot.gen
Next by thread: Stumped with a Posix/Perl Question
Index(es):
- Date
- Thread