Hi, I'm not sure what distro you run, by there are often sereral scripts
that run as user nobody out of cron. You should poke around /etc/crontab
and /etc/cron.daily, etc, i'm guessing you'll find the culprit there.
However, user nobody should definitely not have a password set. If it
does, that could be an indication that you are hosed.
Andrew
Patrick Curran wrote:
my harddrive was doing a whole lot in the middle of the night so I
checked and saw the use "nobody" was running "find". I was running an
ssh server and think that might be how they got in, so I shut that
down, cos I dont really need it. I also switched off the port
forwarding to the ssh port. I have a crappy wireless router from
verizon. I don't think i set up my logs correctly cos I suck and
couldn't really find much.
Are there some necessary things that I should change, im sure there
are, but I dunno what?
And what can I do with the nobody account, it is my understanding that
it should have no rights to do anything. I changed the password cos I
figure the person who got in set it to what he or she wanted...can I
just delete the account?
Thanks for any input. and yes one day i will stop being lazy and
secure my box.
--Patrick
