On Thursday, January 15, 2004 5:17 PM [GMT+1=CET], Barak Korren <[EMAIL PROTECTED]> wrote:
> Ian Brayshaw wrote: > >> On Tuesday 13 January 2004 9:29 am, Christian Schuerer wrote: >> >> >>> Since updating my debian server yesterday I get the following error >>> messages every hour (generated by logcheck): >>> >>> Jan 13 06:25:01 asterix su[5741]: + ??? root:nobody >>> >>> >> >> I now get similar messages in my logs after a recent upgrade of >> AIDE. >> >> .ib >> >> >> >> > I got those too: > > Jan 15 06:25:03 ifireball su[21163]: + ??? root:nobody > > > However, I do not have AIDE installed, and greping for "su" in > /etc/cron/daily produced > nothing meaningful. > also, chkrootkit reports process hidden from ps, but /proc/*/status > reports them to be > ksoftirq_CPU0, kswapd, bdflush and kupdated which seems to be legit > (no doubles) > Yes, 'su' isn't called in the cron files, it's used to run the commands in the cron files as the specified user. So for example, my /etc/cron.d/mrtg contains: 0-55/5 * * * * root if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ]; then /usr/bin/mrtg /etc/mrtg.cfg >> /var/log/mrtg/mrtg.log; fi so basically, it runs mrtg as user 'root' every 5 minutes. Thus, you'll see an entry like you posted, to indicate that su has been used to become root and execute the mrtg command. Regards, Teun
