On 2001-06-20, Matthias Fritschi wrote: > > Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody > > Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user > > nobody by (uid=0) > >could that mean somebody got into the server using a security leak in >a process running as nobody? at this time, i was still sleepeing [...]
No. It means that some process running with root privileges switched its uid to nobody's. There is some cron job executed at 6:25am probably, this is the most common reason of 'automatic' su'ing from root to nobody. Look for files containing string "25 6 *" somewhere under /var. Their contents should explain you many things. I hope it'll help. >matthias fritschi Jakub Jankowski -- (0> Jakub Jankowski [url]: s.atn.pl "Beauty is skin deep; //\ [EMAIL PROTECTED] [uin]: 70171776 ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone."
