Hey guys,

Im getting these on my /var/log/messages running on SUSE 10.0

Oct 25 05:30:13 xxx su: (to nobody) root on none
Oct 25 05:30:13 xxx su: (to nobody) root on none
Oct 25 05:30:13 xxx su: (to nobody) root on none
Oct 25 05:30:13 xxx su: (to nobody) root on none
Oct 25 05:30:14 xxx su: (to nobody) root on none
Oct 25 05:30:14 xxx su: (to nobody) root on none
Oct 25 05:30:14 xxx su: (to nobody) root on none

Im the only one who is supposed to have access to the system.

Does this mean someone might have gotten in?

THanks for the help.

There's several "su"'s out there, but yours looks like it reports both source and target user. If they start at 'root', and are dropping down to 'nobody', I'd say it was more like a script running that needed to drop root privs before running. I had an IRC server that had to be run as a normal user, yet the script to control it was root-only. I used to su down to nobody as a solution before I changed to my current setup.

Try grepping thru some system start scripts and see if you see it: fgrep 'su nobody' /etc/rc.d/rc.* (or where ever you keep your startup and rc scripts). At 5:30 a.m., that might be a cron job running.

You need to worry when you see user "nobody" trying for user "root".


PS: Is your hostname/domainname set correctly?

OK,

i didnt find any under root, so i guess its ok.

If you're talking about the hostname = XXX i changed that to hide it.
Thanks for the awesome advice.