LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-14-2014, 01:12 AM   #1
_mz
Member
 
Registered: Jul 2013
Posts: 33

Rep: Reputation: Disabled
Security information alert - where it comes from?


Hi Guys,

I received this alert. Actually fwded by my colleague as he is not supposed to receive this alert. He asked me to check.

-------------
From: test@abc.com
To: root@abc.com,
Date: 11.04.2014 04:33
Subject: *** SECURITY information for server1 ***

server1 : Apr 11 10:33:19 : test : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=/bin/su -
-------------

Checked on /etc/syslog.conf and crontab - there were no settings. Could you guys please assist where else should I check? I need to disable this.
 
Old 04-14-2014, 02:02 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
The message literally reads "user not in sudoers" so this is about a command run with Sudo. Check its files, crontab and shell history around the time of the email. On a side note one really shouldn't create a user for testing named "test" as any arbitrarily named unprivileged user account can be used for testing and brute forcing accounts always try "test". Nine out of ten times "user test" will also have an easy to guess password, lack access restrictions and such.
 
Old 04-14-2014, 02:18 AM   #3
mddnix
Member
 
Registered: Mar 2013
Location: Bangalore, India
Distribution: Redhat, Arch, Ubuntu
Posts: 512

Rep: Reputation: 139Reputation: 139
What this means is, the user test (test@abc) tried to become root user by issuing command 'sudo su -'. As the user test is not mentioned /etc/sudoers file, the incident is reported in /var/log/secure (Redhat) or i think its /var/log/faillog in other distros.
 
Old 04-14-2014, 03:29 AM   #4
_mz
Member
 
Registered: Jul 2013
Posts: 33

Original Poster
Rep: Reputation: Disabled
unSpawn, to be clear, actually 'from' and 'to' are like this:

From: sysadm@mydomain
To: root@mydomain,

I have checked on sysadm's crontab - no crontabs for this user

mddesai, you are correct. The log is captured in /var/log/messages. I am running on SLES 11.1 so /var/log/secure is empty. I checked on /etc/syslog-ng/syslog-ng.conf as well but did not see any MAILTO, '@' thingy or something like an email syntax.
 
Old 04-14-2014, 02:03 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by _mz View Post
I have checked on sysadm's crontab - no crontabs for this user
I thought I wrote "Check its files, crontab and shell history around the time of the email."?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Alert regarding Nividia Drivers from The Hacker News NattyNarwhal Linux - News 2 04-07-2013 01:57 AM
Java 6 <18 security alert regdub Slackware 3 05-09-2010 09:19 AM
Error Starting Connection: Security Alert ch485de Linux - Newbie 4 11-29-2006 11:45 AM
Security alert for 5/6/02 PostDeals Linux - Security 2 05-07-2002 09:11 AM
FYI (2/2): SANS Security Alert unSpawn Linux - Security 0 07-20-2001 07:42 AM


All times are GMT -5. The time now is 02:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration