Hallo Liste, dies >> fand ich heute in meiner Logdatei: Mar 2 04:15:00 pxxxxxxxx /USR/SBIN/CRON[18880]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Mar 2 04:15:04 pxxxxxxxx su: (to nobody) root on none Mar 2 04:15:04 pxxxxxxxx su: pam_unix2: session started for user nobody, service su Mar 2 04:15:11 pxxxxxxxx su: pam_unix2: session finished for user nobody, service su Mar 2 04:16:00 pxxxxxxxx /USR/SBIN/CRON[19006]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Muss ich das als gelungenen Einbruchsversuch werten? Gruß Reiner Pietrzak
Hi, On Wednesday 02 March 2005 11:32, Reiner Pietrzak wrote:
dies >> fand ich heute in meiner Logdatei:
This is an English only list.
Mar 2 04:15:00 pxxxxxxxx /USR/SBIN/CRON[18880]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Mar 2 04:15:04 pxxxxxxxx su: (to nobody) root on none Mar 2 04:15:04 pxxxxxxxx su: pam_unix2: session started for user nobody, service su
Mar 2 04:15:11 pxxxxxxxx su: pam_unix2: session finished for user nobody, service su Mar 2 04:16:00 pxxxxxxxx /USR/SBIN/CRON[19006]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Muss ich das als gelungenen Einbruchsversuch werten?
No. Your box just ran a couple of cron jobs. You'll find that every day. Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ Don't rush me. I get paid by the hour.
On Wednesday 02 March 2005 11.38, Bastian Friedrich wrote:
Hi,
On Wednesday 02 March 2005 11:32, Reiner Pietrzak wrote:
dies >> fand ich heute in meiner Logdatei:
This is an English only list.
Mar 2 04:15:00 pxxxxxxxx /USR/SBIN/CRON[18880]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Mar 2 04:15:04 pxxxxxxxx su: (to nobody) root on none Mar 2 04:15:04 pxxxxxxxx su: pam_unix2: session started for user
nobody, service su
Mar 2 04:15:11 pxxxxxxxx su: pam_unix2: session finished for user
nobody, service su Mar 2 04:16:00 pxxxxxxxx /USR/SBIN/CRON[19006]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Muss ich das als gelungenen Einbruchsversuch werten?
No. Your box just ran a couple of cron jobs. You'll find that every day.
Bastian
The at deamon and cron just ran the /root/confixx/confixx_counterscript.pl script. Aparently something that root entered. (Check the /root/confixx/confixx_counterscript.pl to see exactly what it does) Mar 2 04:15:04 pxxxxxxxx su: (to nobody) root on none Mar 2 04:15:04 pxxxxxxxx su: pam_unix2: session started for user is a user running 'su' -- /Rikard --------------------------------------------------------------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com/users/rikjoh Mob : +46 735 05 51 01 PGP : 0x461CEE56 ---------------------------------------------------------------
Hello, Am Mittwoch, 2. März 2005 11:32 schrieb Reiner Pietrzak:
Mar 2 04:15:00 pxxxxxxxx /USR/SBIN/CRON[18880]: (root) CMD (/root/confixx/confixx_counterscript.pl) [...] Muss ich das als gelungenen Einbruchsversuch werten?
No, just a cronjob. But: I hope you've installed the Confixx bugfixes. Without them, users can do a "full backup" (including /etc/shadow!) of your system by replacing ~/html or ~/files with a symlink to / and requesting a backup via Confixx. (Backups are done as root!) And they can overwrite files by hardlinking them and doing a restore. This Bug affects Confixx version 2 and 3. If you didn't install the Confixx updates at least remove the backup and restore functionality from the webinterface. Regards, Christian Boltz -- "Wouldn't the sentence 'I want to put a hyphen between the words Fish and And and And and Chips in my Fish-And-Chips sign' have been clearer if quotation marks had been placed before Fish, and between Fish and and, and and and And, and And and and, and and and And, and And and and, and and and Chips, as well as after Chips?" -- BSD fortune file
participants (4)
-
Bastian Friedrich -
Christian Boltz -
Reiner Pietrzak -
Rikard Johnels