Re: auth.log
Oki DZ [EMAIL PROTECTED] writes: Hi, I have quite many of the following lines in auth.log. bdg:/var/log# tail auth.log May 22 12:55:02 bdg PAM_unix[1477]: (cron) session closed for user root May 22 12:55:02 bdg PAM_unix[1476]: (cron) session closed for user root May 22 13:00:01 bdg PAM_unix[1536]: (cron) session opened for user root by (uid=0) May 22 13:00:02 bdg PAM_unix[1536]: (cron) session closed for user root May 22 13:05:01 bdg PAM_unix[1597]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1596]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1597]: (cron) session closed for user root May 22 13:05:02 bdg PAM_unix[1596]: (cron) session closed for user root May 22 13:10:01 bdg PAM_unix[1633]: (cron) session opened for user root by (uid=0) May 22 13:10:01 bdg PAM_unix[1633]: (cron) session closed for user root Does it mean that somebody has been trying to log in? Looks like you have a cron job running every five minutes. As I don't recall anything out of the box that does this, it's probably something you configured yourself. I'd guess a mail-transfer-agent. Check /etc/crontab and /etc/cron.d/* for culprits. -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
On 22 May 2002, Olaf Meeuwissen wrote: Looks like you have a cron job running every five minutes. As I don't recall anything out of the box that does this, it's probably something you configured yourself. I'd guess a mail-transfer-agent. I guess it's all right then; I have MRTG running for every 5 min. Oki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
Sounds like you have some cron jobs running every five minutes. Check your /etc/crontab, /etc/cron.d, /etc/crond.daily. See if you can find the jobs that's running every five minutes. If someone was trying to login, it would say which tty they were logging in from, or it would have associated sshd or telnetd log entries ... not just PAM_unix. On Wed, 22 May 2002, Oki DZ wrote: Hi, I have quite many of the following lines in auth.log. bdg:/var/log# tail auth.log May 22 12:55:02 bdg PAM_unix[1477]: (cron) session closed for user root May 22 12:55:02 bdg PAM_unix[1476]: (cron) session closed for user root May 22 13:00:01 bdg PAM_unix[1536]: (cron) session opened for user root by (uid=0) May 22 13:00:02 bdg PAM_unix[1536]: (cron) session closed for user root May 22 13:05:01 bdg PAM_unix[1597]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1596]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1597]: (cron) session closed for user root May 22 13:05:02 bdg PAM_unix[1596]: (cron) session closed for user root May 22 13:10:01 bdg PAM_unix[1633]: (cron) session opened for user root by (uid=0) May 22 13:10:01 bdg PAM_unix[1633]: (cron) session closed for user root Does it mean that somebody has been trying to log in? Thanks in advance, Oki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
Oki DZ [EMAIL PROTECTED] writes: Hi, I have quite many of the following lines in auth.log. bdg:/var/log# tail auth.log May 22 12:55:02 bdg PAM_unix[1477]: (cron) session closed for user root May 22 12:55:02 bdg PAM_unix[1476]: (cron) session closed for user root May 22 13:00:01 bdg PAM_unix[1536]: (cron) session opened for user root by (uid=0) May 22 13:00:02 bdg PAM_unix[1536]: (cron) session closed for user root May 22 13:05:01 bdg PAM_unix[1597]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1596]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1597]: (cron) session closed for user root May 22 13:05:02 bdg PAM_unix[1596]: (cron) session closed for user root May 22 13:10:01 bdg PAM_unix[1633]: (cron) session opened for user root by (uid=0) May 22 13:10:01 bdg PAM_unix[1633]: (cron) session closed for user root Does it mean that somebody has been trying to log in? Looks like you have a cron job running every five minutes. As I don't recall anything out of the box that does this, it's probably something you configured yourself. I'd guess a mail-transfer-agent. Check /etc/crontab and /etc/cron.d/* for culprits. -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
On 22 May 2002, Olaf Meeuwissen wrote: Looks like you have a cron job running every five minutes. As I don't recall anything out of the box that does this, it's probably something you configured yourself. I'd guess a mail-transfer-agent. I guess it's all right then; I have MRTG running for every 5 min. Oki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
Sounds like you have some cron jobs running every five minutes. Check your /etc/crontab, /etc/cron.d, /etc/crond.daily. See if you can find the jobs that's running every five minutes. If someone was trying to login, it would say which tty they were logging in from, or it would have associated sshd or telnetd log entries ... not just PAM_unix. On Wed, 22 May 2002, Oki DZ wrote: Hi, I have quite many of the following lines in auth.log. bdg:/var/log# tail auth.log May 22 12:55:02 bdg PAM_unix[1477]: (cron) session closed for user root May 22 12:55:02 bdg PAM_unix[1476]: (cron) session closed for user root May 22 13:00:01 bdg PAM_unix[1536]: (cron) session opened for user root by (uid=0) May 22 13:00:02 bdg PAM_unix[1536]: (cron) session closed for user root May 22 13:05:01 bdg PAM_unix[1597]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1596]: (cron) session opened for user root by (uid=0) May 22 13:05:01 bdg PAM_unix[1597]: (cron) session closed for user root May 22 13:05:02 bdg PAM_unix[1596]: (cron) session closed for user root May 22 13:10:01 bdg PAM_unix[1633]: (cron) session opened for user root by (uid=0) May 22 13:10:01 bdg PAM_unix[1633]: (cron) session closed for user root Does it mean that somebody has been trying to log in? Thanks in advance, Oki -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth.log
On Wed, Jun 20, 2001 at 02:39:35PM +0200, Matthias Fritschi wrote: my linux knowledge comes more from the user/developer side of view, so im learning a lot at the moment to be able to set up our new webserver. today, i had the following two lines in auth.log, which scared me a bit: Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0) That looks like a su from root _to_ nobody. could that mean somebody got into the server using a security leak in a process running as nobody? at this time, i was still sleepeing, and nobody else has access to the server yet... [...] cron [...] running on the machine at this moment. nausea ~% grep 25 /etc/crontab 25 6* * * roottest -e /usr/sbin/anacron || run-parts --report /etc/cron.daily It's a cron job that does a su nobody before running something, do a grep nobody /etc/cron.daily/* and it'll probably be there. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/
Re: auth.log
On 2001-06-20, Matthias Fritschi wrote: Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0) could that mean somebody got into the server using a security leak in a process running as nobody? at this time, i was still sleepeing [...] No. It means that some process running with root privileges switched its uid to nobody's. There is some cron job executed at 6:25am probably, this is the most common reason of 'automatic' su'ing from root to nobody. Look for files containing string 25 6 * somewhere under /var. Their contents should explain you many things. I hope it'll help. matthias fritschi Jakub Jankowski -- (0 Jakub Jankowski [url]: s.atn.pl Beauty is skin deep; //\ [EMAIL PROTECTED] [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone.
Re: auth.log
On Wed, Jun 20, 2001 at 01:46:26PM +0100, Colin Phipps wrote: It's a cron job that does a su nobody before running something, do a grep nobody /etc/cron.daily/* and it'll probably be there. specifically its /etc/cron.daily/find which rebuilds the locatedb. updatedb is a shellscript and uses nobody to switch to the configured uid. (so protected directories are not listed in the locatedb). i think it should use start-stop-daemon --chuid instead so there is no log entry like this and we don't get these messages on the list every 2 days. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpFtn6rLo0g7.pgp Description: PGP signature
