OK - disconnect your box from the net. Better safe than sorry until we work
out what's happening here!
Log in as warren.
Su over to root (as your normal user won't be able to read the file I'm
about to ask you to!)
Use your favourite editor to have a browse through "/var/log/messages".
Do you see root logging on at strange times, when it couldn't have possibly
been you? If so, you're probably in trouble and should seriously think about
a full re-install and installing a better firewall, as it's likely you've
been compromised. Do you have tripwire running and set up correctly?
If you feel uncomfortable, feel free to email me directly with your
/var/log/messages file and I'll have a shufty. Feel free to perform a global
replace of any sensitive information, like your IP address and suchlike,
with xxx's.
Hopefully, it's something simply and purely a misinterpretation by yourself,
but personally, I'd be concerned - you should NEVER see root logging on by
itself!
Steve Flynn
NOP Data Migration Ops Analyst
* 01603 687386
-----Original Message-----
From: WCBaker [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 1:18 AM
To: [EMAIL PROTECTED]
Subject: Re: [newbie] root login by default ; response to
Steve's post
Hi Steve!
Yes, I have one for warren and one for root. It also tells me that
root
logged in shortly before warren (yet I never logged on as root).
In
addition, it works this way even if I log off, and shut down. I'm
on cable
modem and I worried that something untowards was happening, so I'd
shut down
and then try getting back on. It just sits there "idle" when I log
on.
Cheers!
-warren
----- Original Message -----
From: "FLYNN, Steve" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 29, 2001 4:52 AM
Subject: RE: [newbie] Re: root login by default - want to terminate
> Are you saying that when log into you box as warren or whatever,
and you
> issue a who command you get two entries - one for warren and one
for root?
>
> Similar to this:
>
> (flynns1)/nu/unuat/opc/logs) who
> wightmp wdp000 Aug 29 11:47
> operator ttyAG/AKGa Aug 20 13:10
> danchev ttyAE/ATEv Aug 28 09:45
> danchev ttyAG/AEG8 Aug 28 14:39
> korennr ttyAF/AFFr Aug 29 09:45
> forresj ttyAG/AIG0 Aug 29 11:33
> taylop7 ttyAH/AIHt Aug 29 11:39
> flynns1 ttyAE/AJED Aug 29 11:44
> (flynns1)/nu/unuat/opc/logs)
<< File: message.footer >>
**********************************************************************
This email and any files sent with it are intended only for the named
recipient. If you are not the named recipient please telephone/email
the sender immediately. You should not disclose the content or
take/retain/distribute any copies.
**********************************************************************
Norwich Union Life & Pensions Limited
Registered Office 2 Rougier Street
York YO90 1UU
Registered in England Number 3253947
A member of the Norwich Union Marketing Group
which is regulated by the Personal Investment Authority.
Member of the Association of British Insurers.
For further Enquires 01603 622200
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
