On Wed, Jun 20, 2001 at 02:39:35PM +0200, Matthias Fritschi wrote: > my linux knowledge comes more from the user/developer side of view, so im > learning a lot at the moment to be able to set up our new webserver. > today, i had the following two lines in auth.log, which scared me a bit: > > > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody > > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user > nobody by (uid=0)
That looks like a su from root _to_ nobody. > could that mean somebody got into the server using a security leak in > a process running as nobody? > at this time, i was still sleepeing, and nobody else has access to the server > yet... [...] cron [...] running on the machine at this moment. nausea ~% grep 25 /etc/crontab 25 6 * * * root test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily It's a cron job that does a su nobody before running something, do a grep nobody /etc/cron.daily/* and it'll probably be there. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/
