Re: 'su by nobody' - should I be worried?
From: p (pplaw_at_pcisys.net)
Date: 03/31/04
- Previous message: Martin Dickopp: "Re: 'su by nobody' - should I be worried?"
- In reply to: Matthijs: "'su by nobody' - should I be worried?"
- Next in thread: Bill Thompson: "Re: 'su by nobody' - should I be worried?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Mar 2004 22:37:15 +0000 To: debian-user@lists.debian.org
On Tue, Mar 30, 2004 at 10:55:29PM +0200, Matthijs wrote:
> Since a few days, Logcheck reports a lot of messages like this:
>
> ---------------------------------------------------------------------
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
> nobody by (uid=0)
> ---------------------------------------------------------------------
>
> I've had similar messages for various users for cron and sshd.
>
> Should I be worried? The only way I can read this messages is that
> user 'nobody' has done a 'su' - become root. I don't know what the
> 'pam_unix' part means.
>
> So: does this mean my server has been compromised?
> If not, what does it mean?
> If so, how? How can I find the hole - or should I re-install
> everything?
>
> Thanks,
> --
> Matthijs
> vanaalten@hotmail.com
>
>
>
//
http://lists.debian.org/debian-user/2003/debian-user-200303/msg00472.htm
kthxbye.
b.
//
-- To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Martin Dickopp: "Re: 'su by nobody' - should I be worried?"
- In reply to: Matthijs: "'su by nobody' - should I be worried?"
- Next in thread: Bill Thompson: "Re: 'su by nobody' - should I be worried?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
