Daniel, Yes, this alert came out when the cron-jobs were running, which is why I posted it: it seems very odd to throw a level-12 alert over a cron-job su-ing to nobody. I have verified that this was definitely a known cron-job.
I would be inclined to say that root su-ing to any other user is not something I want to raise an alert for. -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com -------------------------------------------------------------------------------- This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply Daniel Cid <[EMAIL PROTECTED]> Sent by: [email protected] 20/03/2007 01:32 PM Please respond to [email protected] To [email protected] cc Subject [ossec-list] Re: System user sucessfully logged to the system ??? Hi Thorne, It means that "root" switched user to nobody from an unknown terminal -> ???. Did you have any cron job running at that time? Since it was root to nobody, it looks like the script (or whatever is was), reduced its privileges before running... The following post at taosecurity talks about a similar case, where it was a cron job on Debian: http://taosecurity.blogspot.com/2007/02/consider-this-scenario.html *btw, check your logs for that period (at least a few hours before). **Richard's (from the above taosecurity link) gives some good tips on how to verify your alert (using a NSM point of view), but you can also extend his ideas by using log and integrity data (if anything changed on the system). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 3/19/07, Thorne Lawler <[EMAIL PROTECTED]> wrote: > > Hi folks, > > I got a rather alarming level-12 message about my system, but I'm not > completely sure what it's telling me: > > OSSEC HIDS Notification. > 2007 Mar 20 06:25:16 > > Received From: tribble->/var/log/auth.log > Rule: 40101 fired (level 12) -> "System user sucessfully logged to the > system." > Portion of the log(s): > > Mar 20 06:25:16 tribble su[3663]: + ??? root:nobody > > The system is an Ubuntu Linux system, and root login is disabled... so > what could this potentially mean? I was certainly not awake an logged into > this machine at 6:25am, and nobody else should have these priveleges... > > -- > Thorne Lawler > > Technical Consultant > ICT Outsourcing Services | Infrastructure Services | Unix Storage and > Delivery > KAZ Group Pty Ltd > 360 Elizabeth Street | Melbourne Victoria 3000 > (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 > [EMAIL PROTECTED] | www.kaz-group.com > -------------------------------------------------------------------------------- > This communication may contain confidential information and/or copyright > material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies > corporate. It may also be the subject of legal professional privilege. If > you > are not an intended recipient, you must not keep, forward, copy, use, save > or > rely on this communication and any such action is unauthorised and > prohibited. > If you have received this communication in error, please reply to this > e-mail to > notify the sender of its incorrect delivery, and then delete both it and > your > reply > > > This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply. > This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
