On 2001-06-20, Matthias Fritschi wrote:
> > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
> > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by
>(uid=0)
>
>could that mean somebody got into the server using a security leak in
>a process running as nobody? at this time, i was still sleepeing
[...]
No. It means that some process running with root privileges switched
its uid to nobody's. There is some cron job executed at 6:25am
probably, this is the most common reason of 'automatic' su'ing from
root to nobody. Look for files containing string "25 6 *" somewhere
under /var. Their contents should explain you many things.
I hope it'll help.
>matthias fritschi
Jakub Jankowski
--
(0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep;
//\ shasta@IRCnet [uin]: 70171776 ugly goes right
V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone."
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
