Strange entry in message-log?
Hi, sorry I'm not very used with the entries in the message-log, though I can't identify, if the following lines are harmless (because the system has done something for which it uses root rights) or dangerous (because someone has hacked the box an got root rights for the user nobody) Jul 3 00:15:12 www PAM-unix2[4780]: session started for user nobody, service su Jul 3 00:16:54 www PAM-unix2[4780]: session finished for user nobody, service su The Linux-Box runs SuSE-Linux 7.2 Kernel 2.4.7 - it denies connections other from our router (i hope so) and runs apache 1.3.26, tomcat 4.0.2, php 4.0.1. Can anyone help with a hint? -- Mit freundlichem Gruß Thomas Albl Deutscher Städtetag Tel. : 0221/3771-210 FAX : 0221/3771-128 eMail: mailto:thomas.albl@staedtetag.de Web : http://www.staedtetag.de
Albl, Thomas wrote:
Hi,
sorry I'm not very used with the entries in the message-log, though I can't identify, if the following lines are harmless (because the system has done something for which it uses root rights) or dangerous (because someone has hacked the box an got root rights for the user nobody)
Jul 3 00:15:12 www PAM-unix2[4780]: session started for user nobody, service su Jul 3 00:16:54 www PAM-unix2[4780]: session finished for user nobody, service su
The Linux-Box runs SuSE-Linux 7.2 Kernel 2.4.7 - it denies connections other from our router (i hope so) and runs apache 1.3.26, tomcat 4.0.2, php 4.0.1.
Can anyone help with a hint?
with that old box you should really care about updates. did you run fou4s or so lately? (and a kernel update maybe, 2.4.7 has local root exploits (ptrace). But back to your question: these entrys are generated by a daily cronjob (updatedb etc.) and is started every night at 0:15. So it's nothing really unusual and you can relax with that :) Regards, Sven
El vie, 04-07-2003 a las 08:09, Sven 'Darkman' Michels escribió:
Albl, Thomas wrote:
Hi,
sorry I'm not very used with the entries in the message-log, though I can't identify, if the following lines are harmless (because the system has done something for which it uses root rights) or dangerous (because someone has hacked the box an got root rights for the user nobody)
Jul 3 00:15:12 www PAM-unix2[4780]: session started for user nobody, service su Jul 3 00:16:54 www PAM-unix2[4780]: session finished for user nobody, service su
The Linux-Box runs SuSE-Linux 7.2 Kernel 2.4.7 - it denies connections other from our router (i hope so) and runs apache 1.3.26, tomcat 4.0.2, php 4.0.1.
Can anyone help with a hint?
with that old box you should really care about updates. did you run fou4s or so lately? (and a kernel update maybe, 2.4.7 has local root exploits (ptrace). But back to your question: these entrys are generated by a daily cronjob (updatedb etc.) and is started every night at 0:15. So it's nothing really unusual and you can relax with that :)
Regards, Sven
Hello Thomas,
Jul 3 00:15:12 www PAM-unix2[4780]: session started for user nobody, service su Jul 3 00:16:54 www PAM-unix2[4780]: session finished for user nobody, service su
--> This is normal. It is caused by the SuSE default cron-jobs like logrotate, do_mandb, updatedb, ... See /etc/cron.daily, cron.hourly, cron.monthly, cron.weekly HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
participants (4)
-
Albl, Thomas
-
Armin Schoech
-
Sven 'Darkman' Michels
-
Tomas Gayoso