"pam_xauth[1816]: do_file: could not create dir ..."

Thu, 06 Jun 2002 13:06:44 -0700 

Hi all,
First: My apologies, if the following is off topic in a way ..

I'm running Redhat 6.2 here.
My basic question is whether I was hacked or not.
I think that not, but I'd like to be sure ..

The details:
There was a process running on my machine where I do not know exactly
whether it was started from an outside machine (my single user
machine I'm talking about was connected to the Internet at this time)
or whether this process was started locally by myself.

I have this log entry in /var/log/secure that I try to understand
since some hours, to not so much avail 'til now:

---------------------
Jun 4 21:38:59 [HOSTNAME] pam_xauth[1816]: do_file: could not create
dir /var/spool/news/.xauth
Jun  4 21:38:59 [HOSTNAME] pam_xauth[1816]: do_file: could not create
dir /var/spool/news/.xauth
----------------------------------------

So who or what tried to create /var/spool/news/.xauth at this time?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

other logs from the same time:

/var/log/messages:
-------------------------------
Jun  4 21:38:03 [HOSTNAME] anacron[1649]: Updated timestamp for job
`cron.daily' to 2002-06-04
Jun  4 21:38:59 [HOSTNAME] PAM_pwdb[1816]: (su) session opened for
user news by root(uid=0)
Jun  4 21:38:59 [HOSTNAME] PAM_pwdb[1816]: (su) session closed for
user news
--------------------------------

I *think* , that I had run at this time
run-parts /etc/cron.daily
manually, in a "su -" root session in an xterm in a user's X .. but
I'm not sure on this ....

but at any rate: part of /etc/cron.daily is slrnpull-expire; it reads
as this:
---------------------------------
umask 022
if [ -d /var/spool/slrnpull ]; then
        exec su news -c 'slrnpull --expire'
fi
----------------------------------

and yes, there are folders and files in /var/spool/slrnpull ...

My guess is, that pam_xauth with its error-message was involved simply
for the fact that
run-parts /etc/cron.daily
was not started by crontab, but manually by local (su'ed) root in a
user's xterm ...

Am I right?

-- 
New Key on: http://home.t-online.de/home/520050060325-0001/
Key fingerprint = 40CD 52DF A5AC 66A3 C0F4  F54D 0B0B 9ED1 860A 9B64

http://www.geocities.com/wolfgangpfeiffer/

                            -- END TRANSMISSION --





_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to