Re: 'su by nobody' - should I be worried?

From: Bill Thompson (Billt_at_Mahagonny.com)
Date: 03/31/04

  • Next message: Arnar Leósson: "Re: Re: Xlib: extension "GLX" missing on display ":0.0"." 
    Date: Tue, 30 Mar 2004 14:35:29 -0800
To: debian-user@lists.debian.org

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Tue, 30 Mar 2004 22:55:29 +0200
    Matthijs <vanaalten@hotmail.com> wrote:

    > Since a few days, Logcheck reports a lot of messages like this:
    >
    > ---------------------------------------------------------------------
    > Security Violations for su
    > =-=-=-=-=-=-=-=-=-=-=-=-=-
    > Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user
    > nobody by (uid=0)
    > ---------------------------------------------------------------------
    >
    > I've had similar messages for various users for cron and sshd.
    >
    > Should I be worried? The only way I can read this messages is that
    > user 'nobody' has done a 'su' - become root. I don't know what the
    > 'pam_unix' part means.
    >
    > So: does this mean my server has been compromised?
    > If not, what does it mean?
    > If so, how? How can I find the hole - or should I re-install
    > everything?
    >
    > Thanks,
    > --
    > Matthijs
    > vanaalten@hotmail.com

    PAM_unix is your authentication daemon. I believe that you will see that
    entry as the last for that days log and the first for the next day will be
    "(pam_unix) session closed for user nobody by (uid=0)". This is the
    logrotate program, running as nobody and then becoming root to manipulate
    your logs.

    The rest of the entries will show different applications running in CRON
    or users starting a SSH session. As long as you recognize those SSH users
    or CRON jobs you should be fine.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFAafYwuLPldPuWZnARAljmAKC0kzXUVgPABCgNAy2ZfRZN9mQRqgCgnwcz
    zxYrsClL1t6v/+20pLY6+GA=
    =0sh3
    -----END PGP SIGNATURE----- 

    -- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Arnar Leósson: "Re: Re: Xlib: extension "GLX" missing on display ":0.0"."

    Relevant Pages

    • Re: [SLE] RANT: Advantages of Dual Core
      ... usually are run in the cron, ... of all manuals, which nobody reads anymore. ... of the entire files system, ... I would say the CPU has next to nothing to do with this. ...
      (SuSE)
    • [SLE] RANT: Advantages of Dual Core
      ... when my computer has gone to sleep when running the cron update. ... and despite that this function is reduntant function from the ... all manuals, which nobody reads anymore. ...
      (SuSE)
    • Re: su by nobody - should I be worried?
      ... > Security Violations for su ... > nobody by ... > I've had similar messages for various users for cron and sshd. ...
      (Debian-User)
    • Any guesses as to why this doesnt work
      ... I need to create a backup version on my own drive of a file every ... Wednesday and Friday very early in the morning when nobody is ... However, with the cron, I get nothing. ... the cron times set up that's causing it to never actually run. ...
      (comp.unix.shell)