Since a few days, Logcheck reports a lot of messages like this: --------------------------------------------------------------------- Security Violations for su =-=-=-=-=-=-=-=-=-=-=-=-=- Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user nobody by (uid=0) ---------------------------------------------------------------------
I've had similar messages for various users for cron and sshd. Should I be worried? The only way I can read this messages is that user 'nobody' has done a 'su' - become root. I don't know what the 'pam_unix' part means. So: does this mean my server has been compromised? If not, what does it mean? If so, how? How can I find the hole - or should I re-install everything? Thanks, -- Matthijs [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
