Hi Thorne,
It means that "root" switched user to nobody from an unknown terminal -> ???. Did you have any cron job running at that time? Since it was root to nobody, it looks like the script (or whatever is was), reduced its privileges before running... The following post at taosecurity talks about a similar case, where it was a cron job on Debian: http://taosecurity.blogspot.com/2007/02/consider-this-scenario.html *btw, check your logs for that period (at least a few hours before). **Richard's (from the above taosecurity link) gives some good tips on how to verify your alert (using a NSM point of view), but you can also extend his ideas by using log and integrity data (if anything changed on the system). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 3/19/07, Thorne Lawler <[EMAIL PROTECTED]> wrote:
Hi folks, I got a rather alarming level-12 message about my system, but I'm not completely sure what it's telling me: OSSEC HIDS Notification. 2007 Mar 20 06:25:16 Received From: tribble->/var/log/auth.log Rule: 40101 fired (level 12) -> "System user sucessfully logged to the system." Portion of the log(s): Mar 20 06:25:16 tribble su[3663]: + ??? root:nobody The system is an Ubuntu Linux system, and root login is disabled... so what could this potentially mean? I was certainly not awake an logged into this machine at 6:25am, and nobody else should have these priveleges... -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com -------------------------------------------------------------------------------- This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
