On Monday 04 December 2000 10:48 am, you wrote: > and much more = More logs would be helpful to really determine if there was a break in, however maybe the questions below can give you a place to start looking. > Dec 3 23:20:15 linux inetd[17048]: connection from 200.176.106.246 > Dec 3:23:35:05 linux PAM_pwdb[17124]: (su) session opened for user > nobody by (uid=99) Well, you've got a 15 minute gap between the inetd log entry the su. What happened in between? What did inetd spawn? When did pam close the su session? Did anything get logged as being run by nobody after the su? Do you recognize the IP Address? What daemons/services run on the box as what users? It could be something as simple as running Apache from inetd and a script that Apache calls with the suexec wrapper. But without knowing your inetd setup, what else went on in the interim, and what other corelated actions with the IP address it would be hard to tell what activity is really going on. -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com ____________________________ A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead
Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.