-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 30 Mar 2004 22:55:29 +0200 Matthijs <[EMAIL PROTECTED]> wrote:
> Since a few days, Logcheck reports a lot of messages like this: > > --------------------------------------------------------------------- > Security Violations for su > =-=-=-=-=-=-=-=-=-=-=-=-=- > Mar 30 06:25:02 MyMail su[13083]: (pam_unix) session opened for user > nobody by (uid=0) > --------------------------------------------------------------------- > > I've had similar messages for various users for cron and sshd. > > Should I be worried? The only way I can read this messages is that > user 'nobody' has done a 'su' - become root. I don't know what the > 'pam_unix' part means. > > So: does this mean my server has been compromised? > If not, what does it mean? > If so, how? How can I find the hole - or should I re-install > everything? > > Thanks, > -- > Matthijs > [EMAIL PROTECTED] PAM_unix is your authentication daemon. I believe that you will see that entry as the last for that days log and the first for the next day will be "(pam_unix) session closed for user nobody by (uid=0)". This is the logrotate program, running as nobody and then becoming root to manipulate your logs. The rest of the entries will show different applications running in CRON or users starting a SSH session. As long as you recognize those SSH users or CRON jobs you should be fine. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAafYwuLPldPuWZnARAljmAKC0kzXUVgPABCgNAy2ZfRZN9mQRqgCgnwcz zxYrsClL1t6v/+20pLY6+GA= =0sh3 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
